Distributed key secret for rewritable blockchain

ABSTRACT

A system includes circuitry for rewriting blockchains in a non-tamper-evident or tamper-evident operation using a key secret held in portions by multiple individually untrusted parties. The blockchains may include a series of blocks secured by integrity codes that may prevent non-tamper-evident rewrites by non-trusted parties that are not in possession of the key secret or individually-untrusted parties in possession of only a portion of the key secret. In some cases, multiple individually-untrusted parties may combine their portions into the key secret. As a group, the multiple individually-untrusted parties may perform non-tamper-evident operation with respect to at least one integrity code within the blockchain.

PRIORITY CLAIM

This application is a divisional of and claims priority to U.S. patentapplication Ser. No. 15/596,899, filed on 16 May 2017, titledDistributed Key Secret for Rewritable Blockchain, which is incorporatedby reference in its entirety. U.S. patent application Ser. No.15/596,899 claims priority to European Patent Application Serial No.17425018.3, filed 17 Feb. 2017, and titled Rewritable Blockchain, whichis incorporated by reference in its entirety. U.S. patent applicationSer. No. 15/596,899 also claims priority to European Patent ApplicationSerial No. 16425086.2, filed 11 Aug. 2016, and titled RewritableBlockchain. U.S. patent application Ser. No. 15/596,899 also claimspriority to European Patent Application Serial No. 16425044.1, filed 23May 2016, and titled Rewritable Blockchain.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to U.S. patent application Ser. No.15/596,904, filed on 16 May 2017, titled Rewritable Blockchain, which isincorporated by reference in its entirety. This application is relatedto U.S. patent application Ser. No. 15/596,922, filed on 16 May 2017,titled Multiple-Link Blockchain, which is incorporated by reference inits entirety. This application is related to U.S. patent applicationSer. No. 15/596,932, filed on 16 May 2017, titled Rewritable Blockchain,which is incorporated by reference in its entirety.

TECHNICAL FIELD

This disclosure relates to data verification, validation, and re-writingin complex real-world systems.

BACKGROUND

Rapid advances in electronics and communication technologies, driven byimmense customer demand, have resulted in the widespread adoption ofelectronic transactions and record keeping. As one example,e-currencies, such as Bitcoin, have displaced paper currencies inmillions of transactions per year. Improvements in the verification andrecordation of such electronic transactions will continue to increasethe features and options available to operators engaging in electronictransactions.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows two example views of a blockchain.

FIG. 2 shows two example rewrites to the example blockchain of FIG. 1.

FIG. 3 shows an example blockchain processing system.

FIG. 4 shows an example blockchain rewriting system.

FIG. 5 shows example rewrite management logic.

FIG. 6 shows example rewrite logic.

FIG. 7A shows two example collision searches.

FIG. 7B shows an example rewrite to a blockchain using a collision.

FIG. 8 shows an example blockchain portion paired with an exampleupdated blockchain portion.

FIG. 9 shows an example dual-link blockchain portion.

FIG. 10 shows an example hybrid blockchain.

FIG. 11 shows an example rewritable blockchain scenario.

FIG. 12 shows an example distributed key secret blockchain rewritescenario.

FIG. 13 shows an example blockchain record maintenance scenario.

FIG. 14 shows an example internet of things rewriteable blockchainscenario.

FIG. 15 shows example blockchain loops.

DETAILED DESCRIPTION

A blockchain may include a series of data blocks, the blocks including acode, such as a cryptographic hash or checksum, which may becoding-consistent with the content of previous blocks in the series. Insome cases, determining multiple different sets of blocks that producethe same integrity code may be insoluble, prohibitively computationallycomplex, or otherwise effort intensive enough to frustrate attempts totamper with the contents of the blockchain while maintaining theself-consistence of the integrity codes. However, in someimplementations a trusted party may have access to a key secret, orportion of a key secret, such that the party, acting alone or with thosein possession of the other portions of the key secret, may edit theblockchain contents without leaving indication of tampering.

In various systems multiple parties may use a blockchain-based file orledger to maintain a tamper-evident record of events, transactions, orother updates. In some cases, a blockchain may register tampering aftera change made to the blockchain by an untrusted party, for example aparty not in possession of the key secret. Thus, the parties mayindividually verify that updates by other parties are valid andcoding-consistent with the previous data blocks of the blockchain. Theself-consistence of the integrity codes allows the updates to theblockchain to be verified even if the party lacks an archived version ofthe blockchain to use as a reference. When a rewrite to one or more datablocks in a blockchain does not introduce coding-inconsistency among theintegrity outputs and data block contents of the blocks in theblockchain, the rewrite may be characterized as preserving the validityof the blockchain.

A blockchain may be secured by an integrity code. An integrity code mayproduce a particular integrity output when particular data is providedas input to the integrity code. In some cases, when data different thanthe particular data is provided to the integrity code as input, theintegrity code may produce a different integrity output. In an examplescenario an integrity output from the integrity code generated fromparticular input data from a data block is stored and the data block islater changed. If the changed data is provided to the integrity code asinput, the integrity code may produce an integrity output that isdifferent or otherwise coding-inconsistent with the stored integrityoutput. Therefore, the change may be detected in this example scenario.

A blockchain may include a series of blocks where each subsequent blockin the series holds the integrity output for a previous block. Theseries may form a chain of blocks in which each subsequent block holdsan integrity output generated from the data present in the immediatelyprior block. Accordingly, if a block is changed, a coding-inconsistencywith the integrity output stored in a subsequent block may be detected.Since the integrity outputs are part of the stored data in the blocks,changes to the integrity outputs themselves may also be detected throughcoding-inconsistencies. This self-consistency of the integrity code maybe used to secure a blockchain with respect to covert tampering.

When secured by an integrity code, a tamper-evident change may includevirtually any change for which a coding-inconsistency between theintegrity outputs of the integrity code for a blockchain and the datawithin the blockchain can be detected. For example, the data in a blockof the blockchain may be hashed, run through a checksum, or have anotherintegrity code applied. If the data in the block is later found toconflict with the integrity output of the hash, checksum, or otherintegrity code, the change may be identified as tamper-evident. Aconflict may occur when the data currently in a block does not producean identical or equivalent integrity output to the earlier obtainedintegrity output when the integrity code is applied to the datacurrently in the block. When a change is made to a block and nocoding-inconsistency with the previously stored integrity outputs of theintegrity code can be detected afterward, that change may benon-tamper-evident. In some cases, a non-tamper-evident rewrite may beimplemented by substituting a first block with a second block withdifferent data content that produces the same (or an equivalent)integrity output.

In some cases, after entry, some blocks in a blockchain may includeinformation that is no longer appropriate for inclusion in theblockchain. For example, blocks may expire after time or after adetermined number of subsequent entries, private information may beincluded in the blocks, inaccurate entries may be included in theblocks, information prejudicial to one or more of the parties using theblockchain may be included in the blocks, incomplete information may beincluded, or other inappropriate information may be included.Accordingly, a trusted party, for example a neutral third party, agoverning party, or a group of individually untrusted parties, mayrewrite, remove, or supplement data included in the blocks in anon-tamper-evident fashion. The systems and techniques described belowimplement technical solutions for rewriting blocks in the blockchain toallow trusted parties to redact information from the blockchain, withoutcausing the blockchain to fail for its intended purpose. For example,the parties may use a modified blockchain as if it was the earlier, andunmodified, blockchain.

Blockchain rewrites may be used to perform low level (e.g., from ahardware architecture standpoint) operations such as memory rewrites,deletions, and additions. Accordingly, the techniques and architecturesmay improve the operation of the underlying hardware of a computersystem because the system may utilize blockchain protocols for storingdata for which verifiability is implemented. For example, operatingsystem software for secure systems may be stored in blockchain payloadsto protect the data from manipulation by malware, unauthorized parties,unauthorized devices, or other unintended/unauthorized alterations.

Additionally or alternatively, blocks may represent a smallest incrementof data that may be distributed when an update is made. For example, oneor more updated block may be sent separately from the entire blockchainduring an update. However, in some cases, at least the entire blockchainmay be distributed with individual valid updates. For example, when anew secured transaction is performed and added to a ledger secured via ablockchain, the entire blockchain (e.g., full transaction history) maybe re-distributed with the updated transaction added. Blockchain rewritesystems, such as exemplary implementations described herein, that allowtruncation, right-sizing, extension, or other blockchain sizeadjustments may improve the operation the underlying hardware byallowing adjustment of the data overhead consumed during blockchainupdate and distribution.

In addition, the ability of a trusted party to rewrite a blockchain mayimprove tamper-resistance by providing an established rewrite solution.Accordingly, rather than having to jettison a blockchain due toinappropriate content, a trusted party may rewrite the existingblockchain. Accordingly, blockchain rewrite dramatically improves systemefficiency, compared to recreating a new blockchain. Blockchain rewritemay also reduce the probability of a malicious party using a defunctblockchain, which may have been discarded due to inappropriate content,to spoof a system by notifying the system that it did not receive aprior notification of the blockchain discard. Accordingly, therewritable blockchain may have the technical effect of improved datasecurity and tamper-resistance. In other words, the techniques andarchitectures discussed herein comprise concrete, real-worldapplications of and improvements to existing technologies in themarketplace.

Further, the techniques and architectures, including those forrewritable blockchains, distributed key secrets, dual-link blockchains,loops, and other techniques and architectures discussed require one toproceed contrary to accepted wisdom. In particular, conventionalapproaches to blockchain distributed databases require immutability ofthe blockchain as a foundational feature. Expressed another way,immutability has been repeatedly explained in prior work as an essentialfeature in establishing the technological value of a blockchain.Immutability in blockchains has been incorrectly viewed and dictated asthe required way to ensure that parties using a blockchain trust thevalidity of the data contained in the blockchain. Accordingly, thetechniques architectures described here that add rewritability to ablockchain proceed contrary to accepted wisdom. The present techniquesand architectures proceed contrary to accepted wisdom by introducingrewritability, while still maintaining high security, and therefore thehigh technological value of the blockchain. As such, despite thesignificant departures of the present techniques and architectures fromprior teachings, the present techniques and architectures provide highlevels of trust in the blockchain despite its mutability.

FIG. 1 shows example two example views 100, 150 of a blockchain whereeach subsequent block includes an integrity code (e.g., a hash,chameleon hash, or other integrity code) using the previous block as aninput. For instance, block B1 104 includes a integrity output, IC(B0),in this integrity output field 124 determined from content of previousblock B0 102 serving as input to the integrity code. The content of B0102 used in determination of IC(B0) may include any or all of the fieldswithin B0, such as Data 00 121, the [null] integrity output field 122,or the BlockID 123. The data fields (e.g., Data 00 121, Data 10 131, andother data fields) of the blocks may be used to store any type of data.For example, the blockchain data fields may hold account data, personaldata, transaction data, currency values, contract terms, documents,version data, links, pointers, archival data, other data, or anycombination thereof.

The fields in a block that are not used to determine the integrityoutput in a subsequent block may not necessarily be secured by theblockchain. For example, these fields may be altered without generatingcoding-inconsistencies among the blocks. Further, if any integrityoutput field is not used in the determination of the integrity outputfor a subsequent block in the chain, the blockchain may not necessarilyensure the coding-consistency among blocks discussed above because theunsecured integrity output may be changed without necessarily generatingevidence of tamper. Accordingly, in various implementations, theintegrity output field and at least a secured portion of a data payloadof a block are used in determination of the integrity output for asubsequent block (e.g., the next block) in the blockchain. Similarly,IC(B1) in the integrity output field 125 of block B2 106 may be based onfields within Block B1 104, including, for example, any of the integrityoutput field 124, the data fields, or the BlockID field of block B1 104.In the example, the integrity code, IC, may be a chameleon hash, asdiscussed below.

The blockchain blocks may be locked 152 to one another via the integritycodes. In one sense, the blocks are locked to one another because theintegrity code output fields in each of the blocks are based on thecontent in the previous block at the time the integrity output wasgenerated (e.g., when the block was added to the chain). Accordingly, ifa previous block changes after a current block is added, the change willbe tamper-evident because the change will be coding-inconsistent withthe integrity output stored in the current block. Hence, the content ofthe previous block is “locked-in” once a current block with a storedintegrity output based on the previous block is added to the blockchain.In the example blockchain in FIG. 1, the content of B1 104 may be lockedonce B2 106, which contains IC(B1) in its integrity output field, isadded to the blockchain. As a result, the content of B0 102 which waslocked by B1 104 is further secured by B2 106 because B2 106 prevents B1104 from being changed in a non-tamper-evident manner.

In an example scenario, the rewritable blockchain may be implementedusing chameleon hash as the integrity code, as discussed below. However,virtually any code may be used for which tampering is self-evident forparties not in possession of a key secret allowing editing.

FIG. 2 shows two example rewrites 200, 250 to the example blockchain ofFIG. 1. In the first example 200, the block B2 202 is replaced with ablock B2′ 204 with new content The new block B2′ 204 includes contentgenerated using the key secret such that the integrity output generatedwhen using block B2′ 204 as input is the same as that using originalblock B2 202 as input. For example, IC(B2)=IC(B2′).

In the second example 250, the block B2 202 is removed. Block B1 206from the original chain may be replaced with block B1′ 208 to becoding-consistent with the integrity output contained in block B3 210.For example, the block B1′ 208 may include content generated using thekey secret such that the updated block B1′ 208 may appear to be thecorrect block (and is a correct block in terms of the blockchainintegrity code) to precede subsequent block B3 210. That is, B1 isreplaced after deletion of block B2 so that B1′ can immediately proceedB3 without any violation of the blockchain integrity code.

In various implementations, different rewritable blockchains may havedifferent key secrets. Thus, a trusted party able to rewrite a givenblockchain may not necessarily be able to act as a trusted party andrewrite a second, different, blockchain. Using different key secrets fordifferent blockchains may prevent multiple blockchains from beingcompromised simultaneously through the disclosure of a single keysecret. However, multiple blockchains using the same “master” key secretmay be generated by blockchain systems (e.g., a key secret may be amaster key secret if it may be used with multiple different blockchainsystems). Using a common secret among multiple blockchains may allow formore streamlined administration than using different key secrets for thedifferent blockchains.

Additionally or alternatively, a blockchain may have multiple differentkey secrets that allow non-tamper-evident editing. In an examplescenario, a master key secret may be used with multiple blockchains eachwith individual key secrets that do not necessarily allownon-tamper-evident editing on the other blockchains covered by themaster key secret. For instance, blockchains A, B, and C may all allowrewrite with master key secret MK. Further, blockchain A may have anindividual rewrite key secret A1, blockchain B may have an individualrewrite key secret B1, and blockchain C may have an individual rewritekey secret C1. In this example, a processing system may rewriteblockchain B using MK or B1, but not with A1 or C1.

Further, in some implementations, a granting key secret may be used toissue key secrets to trusted parties. For example, encrypted cache ECmay include additional key secrets for blockchains A, B, and C (e.g.,key secrets A2 . . . AN, Bn . . . Bn, C2 . . . Cn). A trusted party inpossession of a granting key secret GK to decrypt EC and allow issuanceof the stored keys to new trusted parties. In some cases, a master keysecret may double as a granting key secret. For example, processingsystems may use master key secret to generate block content forrewriting, and the master key secret may serve as a decryption key foran encrypted cache of key secrets.

In addition, distributed key schemes discussed below, may be applied forgranting key secrets and master key secrets. In some systems, trustedparties may individually perform rewrites to the blockchain. However,the same trusted parties may combine, using any of the distributed keyschemes discussed below, their keys to gain the authority associatedwith a granting key or master key. For example, three individuallytrusted parties may each perform rewrites without the assent of theother parties. However, the three parties may be forced to combine theirkey secrets, e.g., coordinate, to gain granting privileges and grant afourth party its own key secret.

In various implementations, increased privileges may be obtained throughcoordination of a specified threshold number of parties, by specificpre-determined parties, by parties of a given class, by all parties, orby another defined group of parties. The distributed key secret schememay determine the participation level rules for coordination.

In various implementations, keys secrets may be assigned to operatorsusing key secret assignment schemes. The key secret assignment schemesmay include assignment schemes based on operator identity, association,priority, or other basis.

In some cases, the blockchain is flagged to indicate that it is subjectto editing. The flags or fields indicating that the blockchain isrewritable may identify the trusted parties with authority to rewritethe blockchain. This may assist parties with an interest in rewritingthe blockchain in identifying the trusted parties able to perform therewriting. For example, a blockchain may be accompanied by metadatadescribing the purpose, original, operational parameter, or otherinformation on the blockchain. Flags for rewriting may be incorporatedwithin the metadata. However, when such metadata is included outside ofthe blockchain it may be changed without evidence of tampering. Allowingthe metadata to be changed freely may reduce computing resources neededto perform an edit and increase the number of parties that may correct ametadata error. In other systems, processing systems may write suchmetadata into the blocks of the blockchain itself, for example, intodedicated fields or the data payload of blocks. Writing the metadata tothe blockchain itself may prevent unauthorized parties from alteringblockchain metadata (e.g., for potentially malicious purposes).

In some implementations, the existence of the trusted parties may bekept secret from the untrusted parties or a portion of the trustedparties. In some cases, the integrity code may not necessarily providean indication by inspection of its operation that trusted parties mayedit entries in the blockchain. That is, the algorithm that generatesthe integrity code does not itself easily reveal that it supportsblockchain rewrite. Keeping the existence of the trusted parties inconfidence may discourage parties from attempting to steal or otherwiseacquire the trusted party's key secret. Further, parties may haveincreased confidence in the blockchain if the parties assume that theblockchain cannot be edited by another party without the tampering beingevident.

In some implementations, entities with knowledge of a key secret maymake alterations to the blockchain. This key secret could be in thepossession, in whole or in part, of operators, a centralized auditor, orother parties. Additionally or alternatively, shares (e.g., portions) ofthe key could be distributed among several individually untrustedparties. The integrity code may be a virtual padlock on the linkconnecting two blocks.

The key secret to open the virtual padlock can be managed according tothe requirements of specific applications. For example, in a businessnegotiation (or government treaty negotiations) a key secret allowingalteration of proposed contract (treaty) terms may be held by neutralthird party. Additionally or alternatively, equal portions (e.g.,halves, thirds) of the key secret may be held by each party in thenegotiation, such that terms may be altered with the consent of allparties or a defined plurality of the parties. In collaborative softwaredesign implementations, key secrets may be distributed in portions tostakeholders to enforce consensus before allowing alteration to certainsoftware code. Below, example key secret distribution schemes arediscussed, including centralized and distributed schemes. However, otherschemes are possible.

FIG. 3 shows an example blockchain processing system (BPS) 300. The BPS300 may include system logic 314 to support verifications of andrewrites to blockchains. The system logic 314 may include processors316, memory 320, and/or other circuitry, which may be used to implementthe blockchain processing logic 342. The memory 320 may be used to storeblockchain metadata 322 and/or blockchain data 324 used in blockchainrewrites and block additions.

The memory may further include program instructions that implementblockchain processing, and one or more supporting data structures, forexample, coded objects, templates, or other data structures to supportverification of updates to blockchains and detect evidence of tampering.The memory may further include flags 323 which may indicate whetherparticular blockchains can be edited. In an example, the flags 323, maybe implemented using a bit within specific fields within a blockchain orblockchain metadata to indicate editability. Further, the memory 320 mayinclude parameter fields 326 that may include the identities of contactinformation of the trusted parties, for example, names, addresses,phone, email, or other contact information.

The BPS 300 may also include one or more communication interfaces 312,which may support wireless, e.g. Bluetooth, Wi-Fi, wireless local areanetwork (WLAN), cellular (third generation (3G), fourth generation (4G),Long Term Evolution Advanced (LTE/A)), and/or wired, ethernet, Gigabitethernet, optical networking protocols. The communication interface 312may support communication with other parties making updates toblockchains or performing blockchain transfers. The BPS 300 may includepower management circuitry 334 and one or more input interfaces 328. TheBPS 300 may also include a user interface 318 that may includeman-machine interfaces and/or graphical user interfaces (GUI). The GUImay be used to present data from blockchain-based verifications to anoperator of the BPS 300. The user interface 318 may also render GUIswith tools to support block additions to blockchains.

FIG. 4 shows an example blockchain rewriting system (BRS) 400. The BRS400 may be used by, for example, a trusted party performing redaction,revision, or supplementation on a blockchain. For example, asupplementation may include adding content to an existing block. Even inblockchains that do not support non-tamper-evident rewrites, anauthorized operator may add a new block, e.g., a new transaction record,to the blockchain. However, alterations to existing blocks (includingadditions) may generate evidence of tamper unless performed by a trustedparty in possession of a key secret. The BRS 400 may include systemlogic 414 to support verifications, updates, and rewrites toblockchains. The system logic 414 may include processors 416, memory420, and/or other circuitry, which may be used to implement theblockchain processing logic 442 and the rewrite management logic (RML)441.

The memory 420 may be used to store blockchain metadata 422 and/orblockchain data 424 used in blockchain rewrites and block additions. Thememory 420 may further store key secrets 421, such as an encryption keyvalue, trapdoor information, or other secret value, that may allownon-tamper-evident rewriting of a blockchain. In some cases, the keysecrets 421 may be stored in protected memory 480, such as encryptedfiles or data drives, physically secured drives, drives coupled totriggers for anti-theft countermeasures, or self-deleting drives toprevent accidental or surreptitious disclosure of the stored key secrets421. The memory storing key secrets may include trusted memory or othermemory in possession of or controlled, either directly or indirectly, bya trusted party.

The memory 420 may further include applications and structures, forexample, coded objects, templates, or one or more other data structuresto support verification of updates to blockchains and detect evidence oftampering. The memory may further include flags 423 which may indicatewhether particular blockchains can be edited and the identities of thetrusted parties. The BRS 400 may also include one or more communicationinterfaces 412, which may support wireless, e.g. Bluetooth, Wi-Fi, WLAN,cellular (3G, 4G, LTE/A), and/or wired, ethernet, Gigabit ethernet,optical networking protocols. The communication interface 412 maysupport communication with other parties making updates to blockchainsor performing blockchain transfers. Additionally or alternatively, thecommunication interface 412 may support secure information exchanges,such as secure socket layer (SSL) or public-key encryption-basedprotocols for sending and receiving key secrets between trusted parties.Further, the secure protocols may be used to combine key secrets amongindividually untrusted parties each having some portion of a key secret,as discussed below. The BRS 400 may include power management circuitry434 and one or more input interfaces 428.

The BRS 400 may also include a user interface 418 that may includeman-machine interfaces and/or graphical user interfaces (GUI). The GUImay be used to present data from blockchain-based verifications to anoperator of the BRS 400. Additionally or alternatively, the userinterface 418 may be used to present blockchain rewriting tools to theoperator.

In some cases, the user interface 418 may include a GUI with tools tofacilitate blockchain rewrites and deletions. The GUI tools forrewriting may include “what you see is what you get” tools that allowoperators to manipulate the content of the blockchain, e.g., usingword-processor-like tools, web-editing-like tools, file-browsing-liketools, or any combination thereof. Additionally or alternatively, theuser interface 418 may include command-line editing tools. The tools,whether text or graphic based, may allow operators to access key secretsand perform edits on blockchains for which they are authorized. In somecases, the tools may deny writing capabilities to operators lacking theproper key secret for the blockchain that they are attempting to edit.However, in some implementations, the tools may allow such unauthorizedediting because it will result in tamper-evident rewrite that willinvalidate the unauthorized edits to the blockchain.

FIG. 5 shows example RML 441, which may be implemented in or withcircuitry. The RML 441 may handle management of key secrets andimplementation of rewrite commands. For example, the RML 441 maydetermine availability of key secrets for particular blockchains andpass those key secrets to the rewrite logic 600 (discussed below) forexecution of the rewrites. The RML 441 may also handle reception ofrewrite commands or reception of commands for the automation ofblockchain rewrites. Once, the RML 441 identifies the change requestedand the blockchain involved, the RML 441 may access the blockchain(502).

The RML 441 may determine whether the memory 420 of the BRS 400 holds akey secret allowing rewrites to the accessed blockchain (504). If thememory 420 does not store the key secret, the RML 441 may determinewhether the key secret is accessible via secure communication or viasecure combination of portions of the key secret using the communicationinterface 412 (506). For example, the portions may include portions of akey secret held by parties that individually are untrusted, but as agroup, with their portions combined into a full key secret, form atrusted party. In some implementations, the key secret or portionthereof may be accessed via a secure communication using communicationinterface 412, e.g., to protect against interception of the key secretduring communication. If the key secret cannot be accessed, the RML 441may indicate, via the GUI 418 that non-tamper-evident rewrites to theblockchain are not available (508). If the key secret is accessible,either in memory or via secure communication, the RML 441 may prompt theoperator for rewrites to the blockchain (510).

Additionally or alternatively, the RML 441 may automatically obtainrewrites (511). For example, rewrites may be available from a rewritequeue, embedded within a previously received command, obtained fromother blockchains, determined from content identified by the systems asmalicious code or other inappropriate content, or other rewritesautomatically obtained by the RML 441. The rewrites may be stored as acommand identifying changes to be made to one or more blocks and, ifcontent is to be added by the change, content to be written to theblocks. The command itself may include the content to be written or,alternatively, may include a pointer to location of the content. The RML441 may call rewrite logic 600 (see FIG. 6) to perform the rewrites(512). For example, when non-tamper-evident rewrites are available, theBRL 441 may call rewrite logic 600 to execute the rewrites to the block.FIG. 6 shows example rewrite logic 600, which may be implemented in orwith circuitry. The rewrite logic 600 may access a blockchain (602). Forexample, the rewrite logic 600 may access memory where a blockchain isstored. Additionally or alternatively, the rewrite logic 600 may accessa blockchain via a networking communication interface (e.g.,communication interfaces 412). In some cases, the rewrite logic 600 mayaccess the blockchain using a secured connection or on secured memory asdiscussed above.

The blockchain may include one or more data blocks that are secured byan integrity code. For example, a rewrite-protected cryptographic hashfunction, such as a hash function without a key secret for allowingnon-tamper-evident rewrites, a chameleon hash, cyclic redundancy checks(CRCs), checksums, or other integrity codes may be used to secure thedata blocks within the blockchain. In some implementations, theindividual data blocks may be secured by a particular integrity outputthat is coding-consistent with the data content of the block. Forexample, an integrity output may be coding-consistent with the contentof block when applying the integrity code to the contents of the blockthat produces that integrity output. When an integrity output iscoding-consistent with the data that it secures, the data may be deemedvalid. As discussed above, that particular integrity output may beplaced within a neighboring block to prevent or frustrate attempts torewrite the data content in a non-tamper-evident fashion. Further, asdiscussed below with respect to hybrid blockchains, some blockchains mayinclude portions (e.g., of individual blocks or groups of blocks) thatmay allow for non-tamper-evident rewrites alongside portions that maynot necessarily allow for non-tamper-evident rewrites by trustedparties.

The rewrite logic 600 may access a key secret, such as a cryptographickey or trapdoor information, that is paired to the integrity code of theblockchain (604). The key secret may include data that allows a system,e.g., the BRS 400, to compute collisions, e.g., two different datablocks that produce the same integrity output for the integrity code.Using the computed collisions, a device may rewrite the blockchainwithout the rewritten blocks being coding-inconsistent with theintegrity code. For example, an operator may instruct a BRS 400 computea collision using a key secret and rewrite a blockchain.

The rewrite logic 600 may receive a command, e.g., from the RML 441, toperform a rewrite on the blockchain (606). For example, the command mayhave been received from an operator for a trusted party that wishes toreplace or delete data (e.g., content) from a particular block. Theoperator may indicate, e.g., in a command issued through a man-machineinterface to the BRS 400, the original data and the replacement datafrom input devices of a user interface. Additionally or alternatively,commands to replace data may be received via a network communicationinterface, for example from a terminal associated with the trustedparty. The rewrite logic 600 may receive the command to perform therewrite from the RML 441. Further commands to perform rewrites mayoriginate from automated sources such as those describe above withrespect to the RML 441.

The rewrite logic 600 may process the key secret, the replacement data,and the original data to determine additional data for which thereplacement data and the additional data produce the same integrityoutput for the integrity code that is produced for the original data(608). Accordingly, the replacement data and additional data maysupplant the original data without necessarily creating evidence oftampering. In an example scenario, where the integrity code is achameleon hash, the key secret for the chameleon hash allows the rewritelogic 600 to determine collisions for virtually any original datacontent. In this example scenario, using the key secret, the rewritelogic 600 may compute additional data that produces the same hash outputas any given original data when combined with replacement data selectedby a trusted entity.

A deletion operation may be executed in the same or similar fashion asother rewrites. However, rather than selecting a replacement data andadditional data to be coding-consistent with neighboring blocks (e.g.,blocks immediately subsequent or immediately prior in the blockchain).The replacement data and additional data may be selected to becoding-consistent with other blocks further up or down the blockchain.For example, if the replacement data of the rewritten block collideswith the data of a subsequent block further down the blockchain (e.g.,non-adjacent blocks) rather than that of the block that is beingreplaced, one or more subsequent blocks (e.g., one or more consecutiveblocks in the blockchain immediately following the rewritten block) maybe removed. Additionally or alternatively, if the integrity output fieldin the replacement data includes an integrity output of a block that istwo or more blocks prior to the block being replaced, one or more blocksprior to the block being replaced may be deleted. Accordingly, when arewrite includes a deletion, the rewrite logic 600 may delete one ormore blocks prior to or subsequent to the block being rewritten (609).

Once the rewrite logic 600 determines the proper additional data, therewrite logic 600 may generate the additional data (610) and combine theadditional data with the replacement data (612). In someimplementations, particularly in schemes where the rewritability of theblockchain is kept confidential, the existence of the additional datamay be masked. Thus, a party not in possession of the key secret wouldnot be able to immediately identify the rewritable blockchain asrewritable simply by noting the existence of the additional data.

For example, the additional data may be placed in a field within theblocks that contains data with another identified purpose. For example,the additional data may be appended to integrity output fields or to“randomness” fields as discussed below with regard to FIG. 8.

However, in some cases, declining to expressly identify a specificpurpose for the additional data, which would be otherwiseincomprehensible, may be sufficient to prevent untrusted operators fromdeveloping a suspicion that the blockchain that they are using is arewritable blockchain.

In various implementations, the chameleon hash may be identifiable byboth trusted and untrusted parties to facilitate verification of blockcontent.

The rewrite logic 600 may then write replacement data combined with theadditional data in place of the original data (614). For example, therewrite logic 600 may overwrite the original data with the combinedreplacement and additional data. Because the combined data iscoding-consistent with the integrity output of the original data, theoverwrite of the original data may be performed in a non-tamper-evidentmanner, at least with regard to the integrity code. In other words, therewrite may be non-tamper-evident, even if replacing the original datawith the replacement data alone would result in a tamper-evidentrewrite. As discussed below, dual-chain and multiple chain blockchainsmay be used in some implementations. Accordingly, rewriting a blockchaincoding-consistently with a first integrity code of the blockchain maynot necessarily result in a fully non-tamper-evident rewrite.

The replacement data may include completely rewritten data; an alteredversion of the original data, such as a redacted version of the originaldata; the original data with additions; a complete deletion of theoriginal data; or other data.

The techniques and architectures discussed herein allow rewrites to thecontent of a blockchain that may be implemented in services, such asdecentralized services, that exploit blockchain-based technologies.Non-tamper-evident, validity preserving, or other type of rewrites to ablockchain may be used in various scenarios. The scenarios, for example,may include removing improper content from a blockchain, providingsupport for applications that use rewritable storage, complying withgovernmental regulations such as to “the right to be forgotten”, orother scenarios.

The techniques and architectures, including those for rewritableblockchains, distributed key secrets, dual-link blockchains, loops, andother techniques and architectures discussed herein may be used inconjunction with various blockchain consensus techniques. For example,in some cases, rewritable blockchains may be used with proof of workbased consensus mechanisms. Accordingly, operators, e.g., untrustedoperators, may be granted the ability to append a block to therewritable blockchain upon finding a solution of a pre-defined challengeand showing proof of work for the solution. In some implementations,consensus mechanisms based on “practical Byzantine fault tolerance” maybe implemented. Further, some implementations may use “smart contract”type consensus mechanisms where operators may append blocks upon ashowing of compliance with the terms or rules of the smart contract.Integrity codes may be implemented independently of the particularconsensus mechanism used in a blockchain. Accordingly, integrity code,include integrity code supporting blockchain rewrites, may beimplemented with virtually any blockchain consensus mechanism.

In some implementations, chameleon hash functions, which may allow forefficient determination of hash collisions when given a key secret, maybe used by the system e.g., BRS 400. In some cases, the system may use achameleon hash to grant a trusted entity, multiple individuallyuntrusted parties that together makeup a trusted party, or other entitythe ability to make non-tamper-evident rewrites to a blockchain.

In some implementations, a hash function may remain collision resistanteven after polynomially many collisions have been already found (usingthe key secret). This property may be called key-exposure freeness. Asdiscussed below, a transformation may be used to convert a chameleonhash function into one additionally satisfying key-exposure freeness.

FIG. 7A shows two example collision searches 700, 720. For a hashfunction lacking a key secret (H), collisions may be difficult to find.Accordingly, finding X and X′ such that H(X)=H(x′) may be prohibitivelydifficult (700). However, for a chameleon hash CH, an device inpossession of the key secret 722 may be able to find X and X′ such thatCH(X)=CH(X′) (750).

FIG. 7B shows an example rewrite to a blockchain 760 using a collision.Blockchain 760 includes blocks 762, 764, 766, and 768. Block 766includes integrity output 784. When two different blocks 766, 770 withdifferent content produce the same integrity output 786 for an integritycode, the blocks 766, 770 are a collision for the integrity code (796).Block 766 may be replaced with block 770 and maintain coding-consistencewith subsequent block 768 because blocks 766 and 770 produce the sameintegrity output. However, if block 770 does not contain the properintegrity output (e.g., integrity output 784), block 770 will not becoding-consistent with block 764. With access to the key secret of anintegrity code, a party is able to specify the integrity output presentin block 770 (797). Accordingly, block 770 can be made coding-consistentwith block 764 by including integrity output 784 (798). Block 770 isstill coding-consistent with block 768 because Block 770 collides withblock 766. Alternatively, if Block 770 is instead constructed to includeintegrity output 782, the insertion of Block 770 may be used to deleteblock 764 (799). With integrity output 782, block 770 iscoding-consistent with block 762 (as its preceding block) and block 768(as the block immediately subsequent). Accordingly, block 764 may beremoved from the blockchain with no evidence of tamper.

In some real-world applications, an append-only ledger for the majorityof parties (to preserve security) that allows rewriting may beimplemented. To implement the real-world application, rewriting may beconstrained such that it may be performed by trusted parties or indefined circumstances. Two examples of real-world applications arediscussed below with regard to FIGS. 13 and 14.

In some cases, applications such as smart contracts or overlayapplications may not necessarily work and scale if the blockchain maynot be edited in a validly-preserving or non-tamper-evident fashion. Asmart contract may include a sequence of instructions, for examplecomputational instructions, that a party performs in exchange forcompensation.

Further, rewritable blockchains may provide support for updates to theapplication that the blockchain is used to secure. If a blockchain-basedsystem is overhauled after inception, a rewritable blockchain may beused to rebuild the blockchain to reflect to overhaul.

Notation

For a string x, its length may be denoted by |x|; if X is a set, |X| mayrepresent the number of elements in X. When x is chosen randomly in X,the selection may be denoted as x←$ X. When A is an algorithm, y←$ A(x)may denote a run of A on input x and output y; if A is randomized, theny is a random variable and A(x; r) may denote a run of A on input x andrandomness r. An algorithm A is a probabilistic polynomial-time (PPT) ifA is randomized and for any input x, r∈{0, 1}*. The computation of A(x;r) may terminate in after up to poly (|x|) steps.

A security parameter may be denoted as K∈

. A function v:

→[0, 1] may be negligible within the security parameter (or simplynegligible) if it vanishes faster than the inverse of any polynomial inK, i.e. v(K)=K^(−ω(1)). For a random variable X,

[X=x] may denote the probability that X takes on a particular value x∈X(where X is the set where X is defined). Given two ensemblesX={X_(K)}_(K∈N) and Y={Y_(K)}_(K∈N), X≡Y may denote that the twoensembles are identically distributed, and X≈_(c)Y may denote that thetwo ensembles are computationally indistinguishable, for example, for agiven scenario.

Public-Key Encryption

A Public-Key Encryption (PKE) scheme is a technique by which informationmay be exchanged publicly between two or more parties withoutnecessarily disclosing encryption keys, key secrets, or other secretspublicly. Further, PKE may be achieved without necessarily requiringfull disclosure of key secrets or other secrets among the parties in theexchange. In an implementation, a PKE may be executed using a tuple ofalgorithms PKE=(KGen, Enc, Dec) defined as follows: (1) Theprobabilistic algorithm KGen takes as an input the security parameter K∈

, and outputs a public/secret key pair (pk, sk). (2) The probabilisticalgorithm Enc takes as an input the public key pk, a message m∈M, andimplicit randomness ρ∈R_(pke), and outputs a ciphertext c=Enc(pk, m; p).The set of all ciphertexts is denoted by C. (3) The deterministicalgorithm Dec takes as an input the secret key sk and a ciphertext c∈Cand outputs m=Dec(sk, c) which is either equal to some message m∈M or toan error symbol ⊥.

In some cases, PKE or other secure exchange schemes may be used byindividually-untrusted parties to combine portions or shares of a keysecret of the integrity code to generate a full key secret capable ofnon-tamper-evident rewrites of a blockchain. In some cases secureexchange schemes may be used to ensure that third parties are unable toacquire the portions of the key secret by observing the exchange.Additionally or alternatively, secure exchange schemes may be used byindividually untrusted parties to prevent other individually untrustedparties from acquiring multiple portions during an exchange. Forexample, in an unsecured exchange, once an individually untrusted partycollects the portions from the other untrusted parties, the collectingparty irrevocably becomes a trusted party. However, in a secureexchange, such as how PKE is implemented, an untrusted party may collectportions of the key secret from the other untrusted parties withoutactually learning the content of the collected individual portions.Accordingly, collecting portions of the key secret from otherindividually untrusted parties does not necessarily result in thecollecting party becoming a trusted party. Thus, the individuallyuntrusted parties may together makeup a trusted party, but afterexpiration or other invalidation of a combined key, the individuallyuntrusted parties return to their separate untrusted status until theyagain agree to combine their individual portions. In some cases, acombined key may expire after a pre-determined period of time or afterperforming a pre-determined volume of rewrites. For example, thecombination process may specify a pre-determined expiration parameterwhich may delineate a number of rewrites, a number of blocks that may berewritten, a duration, a volume of data that may be altered, a specificlisting of blocks that may be rewritten, one or more event occurrences,or a combination thereof.

In other cases, the key may be combined in such a way that the partiesworking together can determine the additional content used to perform anon-tamper-evident rewrite of the block. However, no single partynecessarily collects a complete (but encrypted) key such that no singleparty could determine the additional content on behalf of the otherparties. Rather, each individually untrusted party within a group thatmakes up a trusted party may calculate a portion of the additionalcontent (or perform some portion of the processing). An end result fromthe combined efforts of the individually untrusted parties serves as theadditional content to support the non-tamper-evident rewrite of a singleblock. For any subsequent rewrites, the individually untrusted partiesmay cooperate again for each specific block that is designated forrewriting by the group that makes up the trusted party.

The individually untrusted parties may be different operators (e.g.,entities, institutions, devices, or other parties) with differentoperator profiles on a single system. Additionally or alternatively,individually untrusted parties may be distributed over multiple systems.The individually untrusted parties may store their respective portionsof the key secret in different memory locations, which may have the sameor different security features. The individual memory locations may beassociated with individual ones of the individually untrusted parties.For example, the memory locations may correspond to a storage deviceowned or maintained by the respective ones of the individually untrustedparties. Similarly, trusted parties may maintain associated memorylocations. In some cases, the memory location may serve as an identifier(whole or in part) of a party. For example, memory location for atrusted party may be used to confirm that the key secret is beingcontrolled (e.g., access control, read/write control, or other control)by a proper trusted party. For example, a key secret may be rejected bythe system if it is not accessed from a trusted memory location (e.g., amemory location used, indirectly controlled, maintained, or owned by atrusted party). Similarly, portions of key secret held by untrustedparties may be tied to specific memory locations.

Example implementations that may be used to support the techniques andarchitectures described above are described below. For example, theimplementations discussed below may be used to construct chameleonhashes. However, other integrity codes may be used to non-tamper-evidentblockchain rewrites.

Non-Interactive Zero-Knowledge

If R: {0, 1}*x {0, 1}*→{0, 1} is an NP relation on pairs (x, y), withcorresponding language L:={y: ∀x s.t. R(x, y)=1}, a non-interactiveargument for R may allow a prover P to convince a verifier V that acommon element y belongs to the language L (where both P and V aremodeled as PPT algorithms). The prover P may be facilitated by knowing awitness x for y∈L.

Example Property 1 (Non-Interactive Argument).

A non-interactive argument for an NP relation R is a tuple of efficientalgorithms NIA=(I, P, V) specified as follows.

-   -   ω←$ I(1^(K)): The probabilistic algorithm I takes as an input        the security parameter K∈        , and outputs the public common reference string (CRS) ω.    -   π←$ P(ω, x, y): The probabilistic algorithm P takes as an input        the CRS ω and a pair x, y such that R(x, y)=1, and returns a        proof π for membership of y∈L.    -   d=V(ω, y, π): The deterministic algorithm V takes as an input        the CRS ω and a pair (y, π), and returns a decision bit d∈{0,        1}.

Non-interactive arguments may, in some cases, satisfy three propertiesknown as completeness, zero-knowledge, and soundness, which arediscussed below. The CRS may be used to facilitate non-interactivezero-knowledge conditions.

The completeness property may establish that an honest prover (holding avalid witness x) should be able to convince the verifier that y∈L.

Example Property 2 (Completeness for Arguments).

Let NIA=(I, P, V) be a non-interactive argument for an NP relation R.NIA may satisfy completeness if for all pairs (x, y) such that R(x,y)=1, there exists a negligible function v:

→[0, 1] such that

[V(ω,y,π)=1:π←$P(ω,x,y);ω←$I(1^(K))]≥1−v(K).

Zero-Knowledge.

The zero-knowledge property indicates that a possibly malicious verifiermay not necessarily acquire knowledge of a witness that it could notacquire by itself. This may contribute to non-interactive zero-knowledge(NIZK).

Example Property 3 (Zero-Knowledge).

Let NIA=(I, P, V) be a non-interactive argument for an NP relation R.NIA satisfies zero-knowledge if there exists a PPT simulator S:=(S₁, S₂)such that for all adversaries A there is a negligible function v:

←[0, 1] such that

${{{\left\lbrack {b = {b^{\prime}:\frac{\left. b^{\prime}\leftarrow{\$\;{A\left( {w,\tau,\pi_{b}} \right)}} \right.,\left. \pi_{0}\leftarrow{\$\;{P\left( {w,x,y} \right)}} \right.,\left. \pi_{1}\leftarrow{\$\;{S_{2}\left( {\tau,y} \right)}} \right.}{\left. b^{\prime}\leftarrow{\$\left\{ {0,1} \right\}} \right.,\left. \left( {x,y} \right)\leftarrow{\$\;{A\left( {w,\tau} \right)}} \right.,\left. \left( {w,\tau} \right)\leftarrow{\$\;{S_{1}\left( 1^{k} \right)}} \right.}}} \right\rbrack} - \frac{1}{2}}} \leq {{v(k)}.}$

Simulation Extractability.

The soundness property indicates that it is hard for a malicious proverto generate an accepting proof π for an element y∉L. In some casessoundness may still hold even if the malicious prover can accesssimulated proofs for true statements. In some implementations, astricter scheme may allow the prover to see proofs of possibly falsestatements; see discussion below.

Example Property 4 (True-Simulation Extractability (tSE)). Let NIA=(I,P, V) be NIZK for an NP relation R, with zero-knowledge simulator S=(S₁,S₂), and let f be an efficiently computable function. NIA satisfiestrue-simulation f extractability (f tSE for short) if there exists a PPTextractor E such that for all PPT adversaries A there is a negligiblefunction v:

→[0, 1] such that

${\left\lbrack {\begin{matrix}{y^{*} \notin {Q\bigwedge\left( {{V\left( {w,y^{*},\pi^{*}} \right)} = 1} \right)}} \\{{\bigwedge{\forall{x^{*}\mspace{14mu}{s.t.\mspace{14mu}{f\left( x^{*} \right)}}}}} = {z^{*}\left( {{R\left( {x^{*},y^{*}} \right)} = 0} \right)}}\end{matrix}:\begin{matrix}\left. z^{*}\leftarrow{\$\;{E\left( {\tau,y^{*},\pi^{*}} \right)}} \right. \\\left. \left( {y^{*},\pi^{*}} \right)\leftarrow{\$\;{A^{O_{\tau}}\left( {\cdot {, \cdot}} \right)}(w)} \right. \\\left. \left( {w,\tau} \right)\leftarrow{\$\;{S_{1}\left( 1^{k} \right)}} \right.\end{matrix}} \right\rbrack} \leq {{v(k)}.}$where oracle O_(T) takes as input pairs (x_(i), y_(i)) and returns thesame as S₂(T, y_(i)) as long as R(x_(i), y_(i))=1 (and ⊥ otherwise), andQ is the set of all values y_(i) asked to oracle O_(T).

Note that in the above example property 4 the adversary is only allowedto see simulated proof for true statements. A stronger variant ensuresthat simulation extractability holds even if the adversary is allowed tosee simulated proofs for possibly false statements. The latter propertyis also known under the name of robust NIZK.

As noted in tSE NIZK are significantly more efficient to construct,indeed they can be generically obtained combining a NIZK (such as theGroth-Sahai NIZK) with a CCA-secure PKE scheme.

Chameleon Hash Functions

A chameleon hash may include a cryptographic hash function for which adevice in possession of a key secret may compute collisions. Without thekey secret, the chameleon hash may be designed to make itcomputationally impractical to find collisions. However, knowledge ofthe key secret, for example, a cryptographic key, trapdoor informationor other secret, may allow for computationally practical generation ofcollisions for the hash function. Knowledge of the key secret may allowfor collision determination and generation for blocks containing atleast some arbitrary content.

Secret-Coin Chameleon Hashing

Example Property 5 (Secret-Coin Chameleon Hash).

A secret-coin chameleon hash function is a tuple of efficient algorithmsCH=(HGen, Hash, HVer, HCol) specified as follows.

-   -   (hk, tk)←$ HGen(1^(K)): The probabilistic key generation        algorithm HGen takes as an input the security parameter K∈        , and outputs a public hash key hk and a key secret tk.    -   (h, ξ)←$ Hash(hk, m): The probabilistic hashing algorithm Hash        takes as an input the hash key hk, a message m∈M, and implicit        random coins r∈R_(hash), and outputs a pair (h, ξ) that consists        of the hash output h and a check string ξ.    -   d=HVer(hk, m, (h, ξ)): The deterministic verification algorithm        HVer takes as an input a message m∈M, a candidate hash output h,        and a check string ξ, and returns a bit d that equals 1 if (h,        ξ) is a valid hash/check pair for the message m (otherwise d        equals 0).    -   π′←$ HCol(tk, (h, m, ξ), m′): The probabilistic collision        finding algorithm HCol takes as an input the trapdoor key tk, a        valid tuple (h, m, ξ), and a new message m′∈M, and returns a new        check string ξ′ such that HVer(hk, m, (h, ξ))=HVer(hk, m′, (h,        ξ′))=1. If (h, ξ) is not a valid hash/check pair for message m        then the algorithm returns ⊥.

The hashing algorithm may be randomized, and, upon input some message m,it may produce a hash output h together with a check value ξ that helpsverifying the correct computation of the hash given the public hash key.The random coins of the hashing algorithm are, however, secret. Aparticular case is the one where the check value ξ consists of therandom coins used to generate h, as the hash computation becomesdeterministic once m and r are fixed; we call such a chameleon hashfunction public-coin and we define it formally below.

Example Property 6 (Public-Coin Chameleon Hash).

A public-coin chameleon hash function is a collection of algorithmsCH=(HGen, Hash, HVer, HCol) specified as in Example Property 5, with thefollowing differences:

-   -   The hashing algorithm Hash, upon input of the hash key hk and        message m E

M, returns a pair (h, r), where r∈R_(hash) denote the implicit randomcoins used to generate the hash output.

-   -   The verification algorithm HVer, given as input the hash key hk,        message m, and a pair (h, r), returns 1 if and only if Hash(m;        r)=h.

Since the verification algorithm simply re-runs the hashing algorithm,some implementations may drop the verification algorithm from CH in thecase of public-coin chameleon hashing.

Example Property 7 (Correctness for Chameleon Hashing).

Let CH=(HGen, Hash, HVer, HCol) be a (secret-coin or public-coin)chameleon hash function with message space M. CH satisfies correctnessif for all m∈M there exists a negligible function v:

←[0, 1] such that:

[HVer(hk,m,(h,ξ))=1:(h,ξ)←$ Hash(hk,m); (hk,tk)←$ HGen(1^(K))]≤1−v(K).

Virtually any chameleon hash may be used to produce a public-coincollision-resistant chameleon hash. However, in some cases, secret-coinchameleon hash functions can be used for the same applications aspublic-coin ones, in particular for constructing chameleon signaturesand online/offline signatures. However for a secret-coin chameleon hashthe system may store the check value ξ (instead of the randomness r) inorder to verify a hash output. Further, and the hash verification maynot necessarily include re-computing the hash.

Collision resistance may not necessarily be sufficient for some of theapplications of chameleon hash. While the hash function iscollision-resistant, a party seeing a collision for the hash functionmay be able to find other collisions or recover the key secret. Addedcollision resistance, can be used to make it more difficult to findcollisions even after witnessing polynomially-many collisions.

Another type of chameleon hashing may include “labeled” hash functions,where the hash algorithm takes as input an additional value λ called thelabel or tag. In some cases, labeled hash functions may be resistant tokey exposure. For example, for some labeled hash functions it isunfeasible for a system to find collisions for a “fresh” label λ*, evengiven access to an oracle that outputs collisions for other arbitrarylabels λ≠λ. Identity-based chameleon hash functions may, at leastpartially, address the key exposure problem because they use a trustedparty to process identities.

Added Collision Resistance.

An example of a collision for a secret-coin or public-coin hash functionis a tuple h, (m, ξ′), (m, ξ′) such that m≠m′ and (h, ξ) and (h, ξ′) arevalid hash/check pairs for m and m′ (respectively). For a chameleon hashfunction the following security property, which indicates that it shouldbe hard to find collisions for the hash function even given access tothe collision finding algorithm (returning collisions for adaptivelychosen hash outputs).

Example Property 8 (Added Collision Resistance).

In an example scenario, CH=(HGen, Hash, HVer, HCol) may be a(secret-coin or public-coin) chameleon hash function. CH may satisfy theproperties of added collision resistance if for all PPT breakers B,there exists a negligible function v:

[0, 1] such that

${\left\lbrack {\begin{matrix}\left. {{{HVer}\left( {{hk},m,\left( {h,\;\xi} \right)} \right)} = {{{HVer}\left( {{hk},m^{\prime},{*\left( {h,\xi^{\prime}} \right)}} \right)} = 1}} \right) \\{\bigwedge{\left( {m \neq m^{\prime}} \right)\bigwedge\left( {h \notin Q} \right)}}\end{matrix}:\begin{matrix}\left. \left( {h,\left( {m,\xi} \right),\left( {m^{\prime},\xi^{\prime}} \right)} \right)\leftarrow{\$\;{B^{O_{{hk},{tk}}}( \cdot )}({hk})} \right. \\\left. \left( {{hk},{tk}} \right)\leftarrow{\$\;{HGen}^{(1^{k})}} \right.\end{matrix}} \right\rbrack} \leq {{v(k)}.}$where the set Q is the set of all hash outputs queried by B to itsoracle, and oracle O_(hk,tk) is defined as follows: Upon input acollision query of the form ((h, m, ξ), m′) run HVer(hk, m, (h, ξ)):=d;if d=1 return the output of HCol(tk, (h, m, ξ), m′), otherwise return ⊥.If B is not allowed to query oracle O_(hk,tk), CH may becollision-resistant without necessarily having added collisionresistance.Generic Transformation

Example chameleon hash functions that provide added collision resistanceinclude hash functions based on the Nyberg-Rueppel signature scheme. Thesecurity of these example chameleon hash functions can be demonstratedusing a discrete logarithm assumption within in the “generic groupmodel.”

The example construction below is for a chameleon hash based onNyberg-Rueppel principles. Added collision resistance may be achieved ina non-ad hoc fashion for a variety of different complexity environments.The transformation may be based on a CPA-secure PKE scheme and with tSENIZK.

Let CH=(HGen, Hash, HCol) be a public-coin chameleon hash function (withmessage space M_(hash) and randomness space R_(hash)), let PKE=(KGen,Enc, Dec) be a PKE scheme (with message space R_(hash) and randomnessspace R_(pke)), and let NIA=(I, P, V) be a non-interactive argumentsystem for the language

L_(CH)={(pk, c, hk, h, m):∀(r, ρ) s.t. h=Hash(hk, m; r)^c=Enc(pk, r;ρ)}. (1) An example secret-coin chameleon hash function CH*=(HGen*,Hash*, HVer*, HCol*) may be specified as follows:

-   -   HGen*(1^(K)): Run (hk, tk)←$ HGen(1^(K)), (pk, sk)←$        KGen(1^(K)), and ω←$ I(1^(K)). Return the pair (hk*, tk*), such        that hk*:=(hk, ω, pk), and tk*:=(tk, sk).    -   Hash*(hk*, m): Sample a random value r∈R_(hash) and run Hash(hk,        m; r):=h. Sample a random value ρ∈R_(pke) and run c:=Enc(pk, r;        ρ). Compute the proof π←$ P(ω, x, y), where x:=(r, ρ) and        y:=(pk, c, hk, h, m), and return (h, ξ) such that ξ:=(c, π).    -   HVer*(hk*, m, (h, ξ)): Parse=(c, π) and return the output of        V(ω, y, π) where y=(pk, c, hk, h, m).    -   HCol*(tk*, (h, m, ξ), m′): First run HVer(hk*, m, (h, ξ)):=d; if        d=0 then output ⊥, otherwise, decrypt the randomness r:=Dec(sk,        c), compute a collision r′←$ HCol(tk, (h, m, r), m′), sample a        random p′∈R_(pke) and encrypt the new randomness c′: =Enc(pk,        r′; p′). Compute the proof π′←$ P(ω, x′, y′), such that x′=(r′,        p′) and y′:=(pk, c, hk, h, m′), and return ξ′:=(c′, π′).

The system may be implemented using various protocols. For example,public-coin chameleon hash function based system may implementSigma-protocols. A Sigma-protocol is an interactive proving scheme, inwhich the “prover” and the “verifier” engage in a multiple-stagecommunication. During the multiple-stage communication, the prover mayconvince the verifier that prover is in possession of specificinformation. To achieve tSE NIZK, a CCA-secure PKE NIZK argument systemmay be used. An encryption scheme is CCA-secure when it is secureagainst a pre-defined ciphertext attack.

Example Blockchain

In an example scenario, a block is a triple of the form B=(s, x, ctr),where s∈{0, 1}^(K), x∈{0, 1}* and ctr∈

. Where B is valid if:validblock_(q) ^(D)(B): =(H(ctr,G(s,x))<D)^(ctr<q)=1.Where H: {0, 1}*→{0, 1}^(K) and G: {0, 1}*→{0, 1}^(K) are collisionresistant hash functions and the parameters D∈

and q∈

are the block's difficulty level and the maximum number of hash queriesthat a user is allowed to make within a round of the protocol,respectively.

The example blockchain, C, may be a chain (or sequence) of blocks. Inthe example, the rightmost block is the head of the chain, denoted byHead(C). Any chain C with a head Head(C):=(s, x, ctr) can be extended toa new longer chain C′:=C∥B′ by attaching a (valid) block B′:=(s′, x′,ctr′) such that s′=H (ctr, G(s, x)); the head of the new chain C′ isHead(C′)=8′. A chain C can also be empty, and denoted as C=∈. Thefunction len(C) denotes the length (number of blocks) of a chain C. Fora chain C of length n and any k≥0, C^(┌k) is the chain resulting fromremoving the k rightmost blocks of C, and analogously ^(k┐)C is thechain resulting in removing the k leftmost blocks of C, if k≥n thenC^(┌k)=∈ and ^(k┐)C=∈. If C is a prefix of C′, it may be denoted C

C′. Further, the difficulty level D may differ among blocks in a chain.

Example Rewritable Blockchain

In an example rewritable blockchain scenario for the example blockchainabove, a block may be a tuple B:=

s,x,ctr,(h,ξ)

, the new component (h, ξ) may be a hash/check pair for a secret-coinchameleon hash. The function G may be a secret-coin chameleon hashCH=(HGen, Hash, HVer, HCol). The validation predicate for this modifiedblock may be:

validblock_(q)^(D)(B) := (H(ctr, h) < D)⋀(HVer(hk, (s, x), (h, ξ)))⋀(ctr < q) = 1.

The domain of the chameleon hash may be adjusted, for example, to a sizecommensurate to the application of the blockchain by hashing the inputof the argument, Hash, with a regular collision resistant hash of thedesired output size.

The verification of a chameleon hash may be computed using its ownverification function (HVer). However, some hash functions, such asthose without key secrets, may be verified by precomputing the hash.

In some cases, a chain redacting algorithm, such as example algorithm 1,may take as an input: a chain C to be redacted, a set of indices thatrepresents the positions (in the chain C) of the blocks that are beingredacted, and another set containing the new x″s values for theindividual blocks that are being redacted. The example algorithm mayaccept chameleon hash trapdoor key tk as an input. The algorithmintuition is that for each block to be redacted we compute a collisionfor the hash of the block with its new content x′. A new chain C′ iscreated by replacing the original block with its modified counterpart.At the end of the execution of Algorithm 1, the central authority maybroadcast the new redacted chain as a special chain, such that the usersof the system adopt the new redacted chain in favor of other chainseven, for example, longer ones.

Algorithm 1: Chain Redaction input :  The input chain C of length n, aset of block indices / ⊂ [n], a set of x's values {x′_(i)}_(i∈l), andthe chameleon hash trapdoor key tk. output:  The redacted chain C oflength n. C′ ← C; Parse the chain C′ as (B₁, . . . , B_(n)); for i := 1to n do  | if i ∈ l then  | | Parse the i-th block of C′ as B_(i) :=  

s_(i) ,x_(i),ctr_(i),(h_(i),ξ_(i)) 

;  | | ξ′_(i) ← HCol(tk,(h_(i,)s_(i) ∥ x_(i,)ξ_(i)),(s_(i) ∥ x′_(i))); | | B′_(i) :=  

s_(i),x′_(i),ctr_(i),(h_(i),ξ′_(i)) 

;  | | C′ ← C′^(┌i)∥ B′_(i) ∥^(i┐) C′;  | end end return C′

In some cases, collision resistant chameleon hash functions may besusceptible to key exposure. For example, for some collision resistantchameleon hash functions it may be possible to retrieve the key secretafter seeing collisions for the function. Note that both algorithmspresented (Algorithm 1 and 2) may expose one or more collisions for aredaction. For example, an algorithm may expose a collision forredaction or for each block changed or redacted. In some cases, a systemmay implement a chameleon hash with added collision resistance to avoidkey exposure. However, some systems may rely on collision resistance andcontrolled levels of collision exposure.

In some cases, a trusted party may remove entire blocks from arewritable blockchain. For example, a use case may be scalabilitymaintenance, such as saving disk space and computational power relativeto what may be used to handle larger (unredacted) chains. To remove theblock B_(i), the block B_(i+1) may be altered by assigning s_(i+1)←s₁.The system may then compute a collision for B_(i+1) that produces thenew block B′_(i+1) which may be inserted in the chain in place of blockB_(i+1), which leaves the chain in a coding-consistent state. At the endof the execution of Algorithm 2, the central authority may broadcast thenew shrunken chain as a special chain, such that the users of the systemadopt the new redacted chain in favor of other chains.

Algorithm 2: Chain Shrinking input :  The input chain C of length n, aset of block indices / ⊂ [n] and the chameleon hash trapdoor key tk.output:  The new chain C′ of length n − |/|. C′ ← C; Parse the chain C′as (B₁, . . . , B_(n)); for i := 1 to n do  | if i ∈ l then  | | Parsethe i-th block of C′ as B_(i) :=  

s_(i),x_(i),ctr_(i),(h_(i),ξ_(i)) 

;  | | Parse the i +1-th block of C′ as B_(i+1) :=

s_(i+1),x_(i+1),ctr_(i+1),(h_(i+1),ξ_(i+1))

;  | | ξ′_(i+1) ← HCol(tk,(h_(i+1,)s_(i+1) ∥ x_(i+1,)ξ_(i+1)),(s_(i) ∥x_(i+1)));  | | B′_(i+1) :=  

s_(i),x_(i+1),ctr_(i+1),(h_(i+1),ξ_(i+1)) 

;  | | C′ ← C′^(┌i)∥ B′_(i+1) ∥^(i+1┐) C′;  | end end return C'Decentralized Key Secret Exchange

In some implementations, a candidate trusted authority may be apparent.For example, in some financial interactions, a bank or bank official mayhold a key secret for the integrity code, such as a chameleon hash. Insome cases, peer-to-peer applications may not necessarily have such aclear candidate trusted party. This situation may be addressed by usinga decentralized key secret distribution scheme. In this case, thetrapdoor key may not necessarily be known by any individual party, butrather be shared among some fixed set of users, such that the userstogether makeup the trusted party. When a block needs to be redacted,the users from this set engage in a secure multiparty computationprotocol (MPC) to compute Algorithm 1.

In some cases, secure key exchanges, such as MPCs, may operate by havingthe parties send a start signal. In some cases, some parties may behonest or dishonest. Honest parties may aim to work with the otherparties to access the complete key secret. However, dishonest partiesmay wish to disrupt the process by sending false shares. Nevertheless,the secure key exchange still may involve receiving shares with bothhonest and dishonest parties. After receiving the “start” signal fromall honest parties, a system may run (hk, tk)←$ HGen(1^(K)) and send hkto the dishonest party. Accordingly, the individual parties in theexchange P_(i) may receive shares. The system may construct a completeset of shares (s₁ . . . s_(n)) from honest parties because the sharessent by the dishonest parties may constitute an unqualified set. Once, acomplete set is formed, the system may send s_(i) to each honest party.

The system may receive the shares s_(i) from each party P_(i) andreconstruct the trapdoor key tk:=Rec(s₁, . . . , s_(n)). The shares ofthe dishonest parties are chosen by the dishonest party. Upon receivinga “compute collision” signal for the pair ((h, m, ξ), m′) from allhonest parties, compute ξ′←HCol(tk, (h, m, ξ), m′) and send (h, m, ξ)and ξ′ to the dishonest party. Upon receiving an “OK” signal from thedishonest party, the system may forward the value ξ′ to all honestparties. However, if an “OK” is not received, the system may forward ⊥(e.g., a runtime failure indicator) to all honest parties.

In an example scenario, an example system may include n active users. Asubset U∈[n] of users may hold a share of the trapdoor key tk. Thesubset U of users may execute a decentralized key generation protocol.At the end of the run, users in the subset U get a share s_(i) of tk.When a block B_(k):=

(s,x,ctr,(h,ξ)

is redacted into the modified block {tilde over (B)}_(k): =

s,{tilde over (x)},ctr,(h,{tilde over (ξ)})

the users may inspect their own blockchains and find block B_(k). Theusers in the subset may then execute the distributed hash collisionprotocol to compute the value {tilde over (ξ)}. The users may inputtheir own private share s_(i) of tk, the values s, x, h, ξ and {tildeover (x)}. At the end of the protocol, the users in subset U receive thevalue {tilde over (ξ)} of block {tilde over (B)}_(k). The users mayupdate their own blockchain by replacing block B_(k) with block {tildeover (B)}_(k) and broadcast this new rewritten chain. In some cases, theusers may broadcast the new chain as a new special chain. In someimplementations, rewrites to the blockchain may occur infrequently. Useof special chain broadcasts may not necessarily cause frequentdisruption. However, special and non-special transmissions may be usedin various implementations.

An example choice for the set U would be to pick a subset of users thatare online. However, this choice can be dependent on the application. Wealso deal with the issue where some users in U are in fact malicious,and their goal is to learn tk or to prevent its correct reconstruction.

Concrete Instantiations

In some example implementations, chameleon hash (CH) constructions thatare described in: Giuseppe Ateniese and Breno de Medeiros, “On the keyexposure problem in chameleon hashes”, SCN, pages 165-179, 2004 may beused by the system. As discussed above, an example CH construction thatmay be implemented has a twin Nyberg-Rueppel signature along with addedcollision resistance, for example a CH that exhibits example property 8.The parameters for the function may include a random prime q and p=2q+1.The parameters may further include a generator g of the subgroup ofquadratic residues Q_(p) of Z*_(p), and a collision resistant hashfunction H.

-   -   (hk, tk)←$ HGen(1^(K)): The key secret is a random value tk∈[1,        q−1], and the hash key is hk←g^(tk).    -   h:=Hash(m, r, s): To hash a message m∈M with random values (r,        s)∈Z_(q)×Z_(q) compute and return h:=r−(hk^(H(m,r)) g⁸ mod p)        mod q.    -   {0, 1}:=HVer(h, m, r, s): To verify just return Hash(m, r, s)=h.    -   (r′, s′)←$ HCol(h, m, r, s, m′): To compute a collision for        message m′, pick a random k∈[1, q−1], compute r′←h+(g^(k) mod p)        mod q, and compute s′←k−H (m′, r′)·tk mod q. Return (r′, s′).

Semi-Honest Scenario.

In an example scenario, the users in subgroup U are semi-trusted. Inthis scenario, the semi-honest users in subgroup U may be trusted toexecute the protocol and behave according to the rules, for example, theusers in subgroup U may be relied upon to input the correct shares. Forthis semi-honest scenario, a n-threshold key secret sharing scheme basedon sums is described below:

Sharing Phase:

-   -   The dealer chooses a secret s and n shares s_(i) such that

$s = {\sum\limits_{i = 1}^{n}{s_{i}.}}$

-   -   The n parties P_(i) receive their respective key secret shares        s_(i).

Reconstruction Phase:

-   -   The dealer receives from the parties P_(i) a share s_(i) and        reconstructs the key secret

$s = {\sum\limits_{i = 1}^{n}{s_{i}.}}$

In the example scenario, the users u∈U individually choose a randomx_(i)∈[1, q−1] as their respective key secret shares and broadcast thevalue y_(i)←g^(xi). The hash trapdoor key may be tk←Σ_(i=1) ^(n)x_(i)x_(i) mod q, and the hash key may be hk←g^(tk). This protocol may benon-interactive because it may not necessarily require any exchange ofmessages among the users. Further, no set of n−1 users may necessarilybe able reconstruct tk. Further, the system may frustrate attempts tolearn information about tk because the shares are just random elements.

In the example scenario, the users u∈U may agree on a pair ((h, m, r,s), m′). The users individually choose a respective random k_(i)∈[1,q−1], broadcast g^(ki), and later compute

$\left. r^{\prime}\leftarrow{h + \left( {\prod\limits_{i = 1}^{n}{g^{k_{i}}{mod}\; p}} \right)} \right.$mod q. in some cases, the systems of the individual users may computeh′←H (m, r′) without necessarily receiving additional input from theother users in the subgroup. To compute s′ the users may execute a MPCprotocol to compute the multiplication s″←h′·tk by inputting the usersrespective shares of tk. The user may execute an additional and anotherMPC protocol to compute the difference s′←k−s″ by inputting thepreviously chosen shares of k.

Dishonest Scenario.

Additionally or alternatively, an example scenario may include someusers, entities, parties, devices, or other entities, that may bedishonest. For example, dishonest users may deviate from a protocolspecification to attempt to learn other users' key secret shares. Tomaintain security in such scenario robust secret sharing schemes may beimplemented for key secret sharing. In some cases, robust secret sharingmay support a threshold number (e.g., an integer t<n) of users that maybe dishonest. A user executing a robust secret sharing may reconstructthe correct key secret from the given shares even if (up to) thethreshold number of users are dishonest. A robust secret sharing schememay be implemented using a Shamir secret sharing scheme plusReed-Solomon (RS) error correcting code. In the key secretreconstruction phase, the RS codes are used in each share beforereconstructing the key secret. In some cases, a Shamir secret sharingscheme paired with RS error correction may operate with up to one thirdof the users being actively dishonest. In some example schemes, anydishonest user threshold may be supported, for example, this may includea threshold that allows just short of a majority of users to bedishonest.

The users in the subgroup may chose a respective random string ρ_(i)∈and parses it as p_(i):=tk_(i)∥p₁∥p₂ ²∥ . . . ∥p_(i) ^(n), so that thesubgroup may agree on a polynomial P(X). The polynomial may be definedas P(X):=tk+P₁·X+P₂·X²+ . . . +P_(n-1)·X^(n-1), with P(i):=Σ_(j=1)^(n)p_(i) ^(j) and P(0):=Σ_(i∈[n])tk_(i). To distribute the shares, theusers may execute a MPC protocol to compute the shares of each user i.For a user i, the corresponding share maybe the sum P(i):=Σ_(j=1)^(n)p_(i) ^(j). In the reconstruction phase, the shares of the users maybe decoded using RS codes.

In some implementations, sharing schemes such as those described in TalRabin and Michael Ben-Or, “Verifiable secret sharing and multipartyprotocols with honest majority (extended abstract)”, ACM STOC, pages73-85, 1989 may be used. For example, sharing schemes discussed thereinmay use a broadcast channel and be capable of successful operation wherea majority of parties are honest.

Further, some implementations, may use schemes such those with anoptimizable share size described in: Allison Bishop, Valerio Pastro,Rajmohan Rajaraman, and Daniel Wichs, “Essentially optimal robust secretsharing with maximal corruptions” IACR Cryptology ePrint Archive,2015:1032, 2015 may be used. For example, sharing schemes discussedtherein may have corruption settings that lack linear dependence betweenthe share size and the number of parties, n. In some cases, the sharesize may grow linear with k, where 2^(−k) is the probability of failure.

Structure at the Block Level

FIG. 8 shows an example blockchain portion 800 paired with an exampleupdated blockchain portion 850. In the example, blockchain portions 800,850 an outer hash H is paired with an inner hash G. The inner hash maybe nested within the outer hash such that the output of the inner hashis provided to the outer hash as an input. In the example, blockchainportion, the inner hash G may be a chameleon hash function. The outerhash H may be a chameleon hash function or another hash function. Theblocks may include a HashPrev (e.g. previous hash) 802 field which mayinclude a store for holding the hash output corresponding to theprevious block, for example s, s′, s″. The blocks 820, 822, 832, 834 maynot necessarily include a hash output of their own input. However, thehash output for the blocks is shown above the block to demonstrate thelinkage 803 to the next block (e.g., the linkage 803 between block 832and 820 and between 820 and 834). The blocks 820, 822, 832, 834 mayfurther include a Payload 804 field which may hold data (e.g., x, x′,x″) secured within the block, such as, transaction information, smartcontract content, numerical values, currency denominations, or othersecured data.

A counter field 806 may also be included, for example ctr, ctr′, ctr″.The counter field 806 may include a counter or nonce that may be usedfor proof of work (PoW) computation, accounting, block tracking, orother purposes. In cryptocurrency implementations, PoW may be used toverify the validity of a currency award to a particular party. PoW mayinclude solutions to computational problems where the solutions acomputationally complex to derive, but comparatively computationallysimple to verify. PoW may also be used in smart contracts to verify thata particular party has completed their obligations under the contract.

The Randomness 808 field may be updated when the block is redacted, forexample, when a collision is computed. In some cases the Randomnessfield may hold the third data, (e.g., r, r″, r″) that may be paired withthe replacement data to allow a non-tamper-evident rewrite to theblockchain. When a block 820 is redacted, the values s′, x′, ctr′, andr′ may be replaced by s′, *x′, ctr′, and *r′. In the example scenario,s′ and ctr′ may not necessarily be modified since ctr′ may be used bythe outer hash to compute the PoW and is the link to the previous blockthat remains the same. Using a chameleon hash key secret for the innerhash function G, it may be possible to find a collision such that G(s′,x′, and r′)=G(s′, *x′, and *r′). Accordingly, H(ctr′, G(s′, x′, andr′))=H(ctr′, G(s′, *x′, and *r′)). As a result s″ may remain unchangedthrough redaction. The updated block portion 850 includes thereplacement block 822 with values *x′ and *r′.

In some implementations, the system may delete a block by replacings_(i+1) with s_(i) in Block_(i+1) and then running the redaction processon Block_(i+1). Additionally or alternatively, the system may delete ablock by making the value s_(i+1) in Block_(i+1) point to Block_(i−1).In some cases, the ctr value in Block_(i−1) may be changed to maintaincoding-consistency with the updated value s_(i+1) in Block_(i+1).

Multiple Chain Blockchain

In some implementations, a trusted entity may perform a redaction thatmay be concealed and users may be unaware that a new blockchain hasreplaced the original blockchain. That is, users may not necessarily beable to detect whether parts of the blockchain were redacted or notunless old copies of the blockchain could be restored.

However, in some implementations, it may be advantageous to makeredactions evident. For example, tamper-evident redactions may beadvantageous in systems where redactions are audited, where previousagreement calls for evidence when redactions are performed, or in othercases when evidence of redaction is advantageous or otherwisepreferable. In systems that are redaction evident, content removal ormodification may leave a rewrite identifier or “scar” (e.g., a rewriteartifact) that may not necessarily be removable by anyone including thetrusted parties. However, in some implementations, the scar may beremovable by a subset of the trusted parties or through coordination ofmultiple parties, as discussed below.

In some redaction evident implementations, a single blockchain mayinclude chains, one based on the write-locked chain, e.g., a hashfunction that lacks a key secret or a hash function for which the keysecret is unknown, and one based on a rewritable blockchain, e.g., achameleon hash. If in both chains the write-locked and rewritable chainsare intact, then there was no redaction and the blocks are original. Ifthe write-locked chain is broken and the chameleon chain is intact, thenthere was a redaction by a trusted entity. However, if the rewritablechain is broken, then there was an edit to the blockchain by anuntrusted entity and the blockchain may be invalidated. In some cases,if the rewritable chain is broken, the blockchain may be invalidatedregardless of the state of the write-locked chain. Accordingly, in suchcases, the integrity of the blockchain is ensured by the chameleon chainwhile the write-lock chain acts as a detection mechanism. Thus, inblockchains supporting rewrites with scar evidence, the validity of theblockchain is logically separated from the creation of a record oftamper.

In some implementations, multiple chains may be used to differentiateamong different trusted entities. Accordingly, multiple rewriteablechains may be included in a blockchain along with zero or morewrite-locked chains. In a multiple-trusted entity tracking blockchain,the chain corresponding to the trusted entity that made the redactionwill be unbroken while other chains, include chains corresponding toother trusted entities or write-locked chains may be broken. In someimplementations, the inclusion of multiple rewritable chains providesthe tamper scar or rewrite identifier without an accompanyingwrite-locked chain since only the chain corresponding to the trustedentity that made the edit may be left unbroken, while the other chains,although rewritable by other trusted entities, may be broken as a resultof the edit. In some cases, a scar may be later removed when anothertrusted entity or entities in possession of the key to one or more ofthe other chains ratifies the edits made by the earlier trusted party.This may protect the blockchain from untraceable unilateral edits by onetrusted party, but still allow a single trusted party to removesensitive information quickly without coordination among multipleparties.

Further, in some schemes, some trusted entities may be authorized tomake edits without scars, while other trusted parties may leave scarswhen making edits. For example, in a multiple rewritable chain scheme,one trusted party may have a key for all chains while other parties havekeys for only a portion of the chains. A party with all keys may makeedits without scars, while parties with only a portion of the keys mayleave scars when editing. The multiple chain scheme may be combined withthe distributed key schemes, such that, parties may aggregate their keysto make edits without scars in case where the parties would leave scarswhen acting alone.

FIG. 9 shows an example dual chain blockchain portion 900, 950, wherethe block B2 902 is modified. The key secret 903 held by the one or moretrusted parties allows the trusted parties to open the link 904 andchange the block B2 902. However, the write-locked link 906, or otherlink for which the trusted party lacks the key, may be broken to signalthat a redaction took place. Referring to 950, the old block B2 902,with possibly sensitive information may be removed, but the broken link956 acts as an indelible mark or scar that provides a persistent recordthat a redaction to produce new block B2′ 952 took place.

Multiple chain blockchains may also be used to generate a hybridblockchain with non-rewriteable blockchain space paired with rewritableblockchain space. For example, a system may secure a first of each blockin of a set of blocks in a blockchain with an integrity code that lacksa key secret. Accordingly, any attempt by any party to rewrite theseparts of the blocks would be tamper evident. The example system maysecure remaining parts of the blocks with an integrity code thatsupports rewrites by trusted parties. These rewritable portions could bealtered by trusted parties without generating evidence of tamper.Accordingly, a hybrid blockchain may be used by operators to generate ablockchain system with immutable core data that is paired with tertiarydata that may be rewritten by a limited number of trusted parties.

FIG. 10 shows an example hybrid blockchain 1000. The hybrid blockchain1000 includes blocks 1010, 1020, 1030, 1040 with a core 1002 part and atertiary part 1004. The block portions 1012, 1022, 1032, 1042 making upthe core part 1002 are secured by a core integrity code 1006 which maynot necessarily support non-tamper-evident rewrites by any party.Conversely, the block portions 1014, 1024, 1034, 1044 making up thetertiary parts 1004 of the blocks 1010, 1020, 1030, 1040 may be securedby a tertiary integrity code 1008 that supports non-tamper-evidentrewrites.

In various implementations, the core 1006 and tertiary 1008 integritycodes may themselves implement multiple chains. For example, the coreintegrity code 1006 or the tertiary integrity code 1008 may supportscarring, as discussed above, such that valid rewrites may be performedon the parts 1002, 1004, but those changes still generate evidence oftampering despite being valid. Additionally or alternatively, the core1006 and tertiary 1008 integrity codes may supportmultiple-trusted-party ratification, or require different numbers of keysecret portions to support editing. For example, edits to the core parts1002 may depend on ratification by two trusted parties to perform anon-tamper evident rewrite, while non-tamper-evident edits to thetertiary portion may be performed by a single trusted party. Fordistributed key secret systems, an example system may allow anon-tamper-evident rewrite to the tertiary part 1004 using M portions ofthe key secret, while only allowing non-tamper-evident rewrites to thecore part 1002 when N portions of the key secret are combined (whereN>M).

In an example scenario, the hybrid blockchain could be used to constructa ledger with fully immutable transaction data that is paired withtransaction description/comment data that may be rewritten by a selectgroup of curators for the ledger. In some cases, the ledger entries mayinclude size caps or constraints in the type of data that may beentered. Constraining allowed rewrites may frustrate attempts to writeirrelevant or malicious content into the immutable ledger portions ofthe blocks. The description/comment field within the rewritable portionsof the blocks may be subject to fewer entry restrictions. However, thecurators may alter or remove previously written content in thedescription/comments fields without the changes being tamper evident.

FIG. 11 shows an example rewritable blockchain scenario 1100. In therewritable blockchain scenario 1100, a trusted party 1101 in control ofa key secret 1150 (or master key secret) may perform rewrites 1172 onits own authority. For example, the trusted party may be in full controlof the key secret, because the trusted party does not necessarily haveto coordinate with other parties to perform rewrites 1172. The trustedparty 1101 may control a BRS 400, e.g. directly or from one or moreterminals 1110, the BRS 400 may store the key secret 1150 in memory 420(e.g., protected memory 480) or access/receive the key secret 1150 fromremote locations, such as terminals 1110, cloud storage, or othernetwork locations. The terminals 1110 may include various communicationdevices such as, computers, webservers, laptops, cellular telephones,smartphones, tablets, internet connected appliances, internet of thingsdevices, or other communication devices. The BRS 400 may execute RML 441and/or rewrite logic 600 to preform blockchain rewrites 1172. Untrustedparties 1102 may access the BRS 400, other BRSs 400 systems, terminals1110, or BPSs 300 which may verify the blockchain and/or append blocks1174 (e.g., adding new blocks to the end of the blockchain).

Some untrusted parties may control BRSs 400, including the BRS 400 undercontrol of the trusted party. However, the untrusted parties are unableto access the stored key secret 1150. For example, some untrustedparties may lack user account authority on the BRS 400 to access the keysecret 1150 of the trusted party, but may still have access to otherfunctions of the BRS 400. Additionally or alternatively, untrustedparties, with respect to a first rewritable blockchain, may serve astrusted parties with regard to other blockchains. Accordingly, a singleBRS 400 may provide rewrite operations 1172 to multiple differenttrusted parties for multiple different blockchains.

The BRS 400 may access blockchains. When instructed under the authorityof the trusted party, the BRS 400 may perform rewrites on the accessedblockchains using the key secret 1150.

FIG. 12 shows an example distributed key secret blockchain rewritescenario 1200. In the example scenario 1200, the parties may includeindividually untrusted parties IUPs (1299), trusted parties 1101, anduntrusted parties 1102. The IUPs 1299 may be in control of portions 1260of a key secret, while trusted parties 1101 may be in control of anentire key secret 1150. In the example scenario, rewrites 1272 may beperformed when the IUPs 1299 combine their key secret portions 1260(e.g., by PKE or other secret exchange scheme, as discussed above) or asingle-party rewrite 1172 under the authority of the trusted party 1101using its key secret 1150. However, various other example distributedkey secret blockchain rewrite scenarios no single party may be in fullcontrol of a key secret 1150, and accordingly, non-tamper evidentblockchain rewrites 1272 are possible when the IUPs 1299 combine theirportions 1260.

Referring again to the example distributed key secret blockchain rewritescenario 1200, the IUPs 1299 may combine their portions to perform anon-tamper-evident rewrite 1272. The IUPs 1299 may store their keysecret portions 1260 on BRSs 400, BPSs 300, terminals 1110, or othermemory locations. The IUPs 1299 may combine their portions using one ofthe exchange schemes describe above. Once the combined key secret 1262is available, a BRS 400 may access the combined key secret 1262 toperform non-tamper-evident rewrites.

Moving now to a discussion of real world applications of rewritableblockchains, blockchain may be used (e.g., by a private company) tomaintain records. For example, a service provider (e.g., a bank,financial institution, or other enterprise) may maintain a blockchainholding records of transactions.

FIG. 13 shows an example blockchain record maintenance scenario 1300. Insome cases, the blockchain 1302, which can be rewritten, may bemaintained by the service provider 1304 in a public location whereparties 1308 to a transaction may append blocks 1310, (e.g., containingtransaction records 1399) to the end of the blockchain 1302, when theparties complete transactions. The service provider 1304 holds the keysecret 1350 and is a trusted party. Because parties 1308 performingtransactions are untrusted, the service provider 1304 may rely theappend-only nature of the blockchain to deter tampering with pastrecords.

In some jurisdictions, such as the European Union, individuals may havea right to be forgotten. Further, because the blockchain 1302 includestransaction records 1399 and is publicly available, the blockchain 1302may provide a public record 1398 of fraudulent activity by past users.Since individuals may have an extensive right to have references to apast crime removed from the public sphere after completing a sentencefor that crime, the service provider 1304 may have a legal duty toremove the public record 1398 of fraudulent activity. If the blockchain1302 could not be rewritten, the service provider 1304 may be forced toeither invalidate the blockchain 1302 or clear the entire blockchain1302 to comply with the law. However, since the service provider 1304may perform non-tamper-evident rewrites to the blockchain 1302, theservice provider may remove the public record 1398 without evidence oftamper that would invalidate the blockchain. Accordingly, the rewritableblockchain techniques and architectures discussed above, provide aconcrete technical solution to a real-world application in public recordkeeping and statutory compliance.

In another real-world application, rewritable blockchains may be used inmaintaining data stream records from internet of things (IoT) devices.FIG. 14 shows an example IoT rewriteable blockchain scenario 1400. AnIoT security camera 1402 may record audio visual (NV) data 1404 andstore the A/V data within a rewritable blockchain 1408. An enterprise1410 operating the IoT security camera 1402 may use it to monitor anarea (e.g., a parking lot of a retail location) open to third-partyclients 1499. When a dispute among the clients 1499 occurs (e.g., aminor automobile accident), the enterprise 1410 may provide the A/V data1404 to clients 1499 within the blockchain 1408.

Accordingly, the enterprise 1410 may be confident that the individualclients 1499 are unable to alter the A/V data 1404. Thus, theauthenticity of the A/V data 1404 can be verified by the clients 1499themselves (or by virtually any party, such as an insurer, mediator, orcourt). As a result, providing the video within a blockchain may reducethe future potential burden on the enterprise 1410 in authenticating theNV data 1404 for the clients 1499. Further, since the blockchain 1408 isrewritable, the enterprise may truncate the NV data 1404 and provide asegment 1420 with the relevant NV data. Without the ability to rewritethe blockchain 1408, the enterprise 1410 may face of choice of providingnon-relevant NV segments or removing the blockchain protection andfacing the risk of more burdensome authentication requirements. Invarious implementations, the segments 1420 may be wrapped-up into aclosed blockchain loop, as discussed below.

The rewritable blockchain techniques and architectures may supportblockchain forms that are impractical or impossible without thetechnical solution of rewrite capabilities. For example, with blockchainrewrite support, a blockchain may be “wrapped-up” into a loop form by atrusted party. In other words, a first block of a given linearblockchain may be rewritten to include an integrity outputcoding-consistent with a subsequent block of the blockchain. Thisreforms the blockchain into a loop, at least in part. Without rewritesupport constructing loops within a blockchain may be impossible orimpractical unless the content of all blocks within the loop is knownprior to the addition of the first block in the loop. In some cases,branching, e.g., having two separate possible blocks that could follow afirst block, is an indicator of blockchain invalidity. Withoutbranching, open loops, e.g. loops not connecting two ends of ablockchain, cannot be constructed. Accordingly, open loops may be validin implementations where the presence of branching does not necessarilyinvalidate a blockchain.

Where the first block is the oldest block of the blockchain and thesubsequent block is the most recent block, the trusted party reforms theblockchain into a closed blockchain loop. Blockchain loops may be usedby parties to provide self-consistent tamper resistance for finitelength blockchains. For example, where a blockchain covers a completedseries of transactions, the blockchain may be wrapped-up into a closedloop to provide a self-consistent record not necessarily dependent onfuture block additions for security.

FIG. 15 shows example wrapped-up blockchains 1530, 1550. The exampleblockchain loop 1530 is an open loop. The example blockchain 1500 is aclosed loop. A trusted party 1504 may wrap-up the blockchain into anopen loop blockchain 1530 by selecting at least one non-end block (e.g.,a block from the group 1532) to lock to another block. Alternatively,the trusted party 1504 may wrap-up the blockchain into a closed loopblockchain 1550 by selecting two end blocks (e.g., the two blocks fromgroup 1552).

For open loop 1530, block 1538 may be rewritten with content 1546 suchthat the integrity output 1536 stored in block 1534 indicates that block1538 precedes block 1534 (e.g., integrity output 1536 should becoding-consistent with content 1546). Since block 1534 remainsunchanged, the content of block 1542 may also be coding-consistent withthe integrity output 1536 stored in block 1534. The integrity output1536 may be written to block 1544 to ensure that block 1538 iscoding-consistent with block 1544 after being rewritten. Block 1544 maybe rewritten with integrity output 1536 such that the integrity output1548 of block 1558 remains coding-consistent with block 1544 after therewrite.

For closed loop blockchain 1550, block 1554 may be rewritten withintegrity output 1556 which indicates that block 1558 precedes block1554 (e.g., integrity output 1556 should be coding-consistent withcontent 1558). Block 1554 may be rewritten with integrity output 1556such that the integrity output 1566 of block 1541 remainscoding-consistent with block 1554 after the rewrite. Accordingly, afterthe closed loop 1550 is created by the trusted party 1504, a rewriteblock 1558 by an untrusted party of would be coding-inconsistent withintegrity output 1556 and would be tamper-evident. In addition, inimplementations where branching invalidates a blockchain, appending ablock after block 1558 would invalidate the closed loop 1550.Accordingly, closed-loop blockchain 1550 may be protected from bothnon-tamper-evident rewrites and non-tamper-evident additions, inimplementations where branching invalidates a blockchain.

The methods, devices, processing, and logic described above may beimplemented in many different ways and in many different combinations ofhardware and software. For example, all or parts of the implementationsmay be circuitry that includes an instruction processor, such as aCentral Processing Unit (CPU), microcontroller, or a microprocessor; anApplication Specific Integrated Circuit (ASIC), Programmable LogicDevice (PLD), or Field Programmable Gate Array (FPGA); or circuitry thatincludes discrete logic or other circuit components, including analogcircuit components, digital circuit components or both; or anycombination thereof. The circuitry may include discrete interconnectedhardware components and/or may be combined on a single integratedcircuit die, distributed among multiple integrated circuit dies, orimplemented in a Multiple Chip Module (MCM) of multiple integratedcircuit dies in a common package, as examples.

The circuitry may further include or access instructions for executionby the circuitry. The instructions may be embodied as a signal and/ordata stream and/or may be stored in a tangible storage medium that isother than a transitory signal, such as a flash memory, a Random AccessMemory (RAM), a Read Only Memory (ROM), an Erasable Programmable ReadOnly Memory (EPROM); or on a magnetic or optical disc, such as a CompactDisc Read Only Memory (CDROM), Hard Disk Drive (HDD), or other magneticor optical disk; or in or on another machine-readable medium. A product,such as a computer program product, may particularly include a storagemedium and instructions stored in or on the medium, and the instructionswhen executed by the circuitry in a device may cause the device toimplement any of the processing described above or illustrated in thedrawings.

The implementations may be distributed as circuitry, e.g., hardware,and/or a combination of hardware and software among multiple systemcomponents, such as among multiple processors and memories, optionallyincluding multiple distributed processing systems. Parameters,databases, and other data structures may be separately stored andmanaged, may be incorporated into a single memory or database, may belogically and physically organized in many different ways, and may beimplemented in many different ways, including as data structures such aslinked lists, hash tables, arrays, records, objects, or implicit storagemechanisms. Programs may be parts (e.g., subroutines) of a singleprogram, separate programs, distributed across several memories andprocessors, or implemented in many different ways, such as in a library,such as a shared library (e.g., a Dynamic Link Library (DLL)). The DLL,for example, may store instructions that perform any of the processingdescribed above or illustrated in the drawings, when executed by thecircuitry.

The techniques and architectures described herein may be used in variousimplementations. As one example, a method may be executed in a hardwaresecurity system. The method may include: receiving, at processingcircuitry, a first portion of a key secret via a key secret exchangeprotocol; combining, with the processing circuitry, the first portionwith a second portion of the key secret to obtain the key secret;determining, with the processing circuitry, to rewrite original data ina selected block of a blockchain with altered data that is differentthan the original data previously stored in the selected block; anddetermining, with the processing circuitry and using the key secret,collision data including the altered data, the collision datacoding-consistent with a previously determined integrity output storedwithin a specific block of the blockchain that follows the selectedblock, the previously determined integrity output generated responsiveto and coding-consistent with the original data.

As another example, a system may include: memory, a blockchain storewithin the memory, and rewrite circuitry in in data communication withthe communication interface. The blockchain may include, a selectedblock including original data; and a specific block including anintegrity output, the integrity output determined using the originaldata as an input. The communication interface may be configured to:perform a key secret exchange operation to receive portions of a keysecret, the portions sent by multiple individually untrusted parties;receive a command coordinated with the key secret exchange protocol, thecommand to overwrite the original data with altered data. The rewritecircuitry may be configured to: obtain a portion combination using theportions of the key secret; when a count of the portions exceeds athreshold count for rewrite privileges: computing collision data thatincludes the altered data: the collision data coding-consistent with theintegrity output, and the computing the collision data performed usingthe portion combination and the altered data as inputs.

In some implementations, the rewrite circuitry may be further configuredto fail to compute the collision data, when the count does not exceedthe threshold count for rewrite privileges.

In some implementations, the rewrite circuitry may be configured to failto compute the collision data by: determining that the count does notexceed the threshold; and responsive to determining that the count doesnot exceed the threshold, forgoing computation of the collision data.

In some implementations, the rewrite circuitry may be configured to:fail to compute the collision data by generating invalid data byattempting to compute the collision data with incomplete knowledge ofthe key secret, the invalid data coding-inconsistent with integrityoutput; and perform a tamper-evident rewrite of the blockchain byoverwriting at least the original data with the invalid data.

In some implementations, the specific block may follow the selectedblock within the blockchain.

In some implementations, the specific block may include a block adjacentto the selected block within the blockchain.

In yet another example, a method may be executed in a hardware securitysystem. The method may include: determining, with processing circuitry,to rewrite original data in a selected block of a blockchain withaltered data different than the original data previously stored in theselected block; identifying a specific block of the blockchain, thespecific block including: a first integrity code and a second integritycode; determining, with the processing circuitry and using a key secret,collision data including the altered data; and performing, with theprocessing circuitry, a tamper-evident rewrite of the blockchain byreplacing the original data with the collision data. The collision databeing coding-consistent with a first integrity output stored within thespecific block of the blockchain; and coding-inconsistent with thesecond integrity output stored within the specific block. The first andsecond integrity outputs generated responsive to and coding-consistentwith the original data.

In another example, a system may include: memory, a blockchain storedwithin the memory, and rewrite circuitry. The blockchain may include: afirst block including original data; and a second block including: afirst integrity output computed using the original data as an input; anda second integrity output computed using the original data as an input.The rewrite circuitry may be configured to: generate a scar in theblockchain by rewriting the first block with altered data different thanthe original data, the altered data coding-consistent with the firstintegrity output but coding-inconsistent with the second integrityoutput.

In another example, a system may include: memory, communicationinterface circuitry, and rewrite circuitry in data communication withthe communication interface and the memory. The memory may be configuredto store a key secret for a chameleon hash that secures a blockchain.The communication interface circuitry may be configured to: access theblockchain in the memory, the blockchain including: a selected block, asecond block subsequent to the selected block on the blockchain, and athird block preceding the selected block on the blockchain. The selectedblock may include: a payload field operable to store original data; afirst previous-hash field operable to store a first chameleon hashoutput; and a randomness field. The second block may include a secondprevious-hash field operable to store a second chameleon hash output.The first chameleon hash output may be generated using content of thethird block as an input. The communication interface circuitry may befurther configured to: receive a trusted-party instruction to perform anon-tamper-evident rewrite to the payload field, the instructionspecifying altered data which will replace the original data previouslystored in the payload field; receive, to facilitate performance of theinstruction, an authorization to access the key secret within thememory, the authorization initiated by a trusted party for theblockchain; and send a rewrite instruction for the blockchain. Therewrite circuitry may be configured to: using the payload field, thefirst previous-hash field, and the key secret as inputs, determinerandomness data to write to the randomness field, the randomness dataselected such that the second chameleon hash output is coding-consistentwith the selected block when the payload field contains the altered dataand the randomness field contains the randomness data; an generate therewrite instruction; and cause the communication interface to send therewrite instruction. The rewrite instruction may include: a firstcommand to write the randomness data into the randomness field; and asecond command to replace the original data with the altered data.

In another example, a system may include memory and rewrite circuitry.The memory may be configured to store a blockchain. The blockchain mayinclude a selected block including original data; and a specific blockincluding an integrity output. The rewrite circuitry may be configuredto perform a non-tamper-evident rewrite of the selected block, thespecific block, or both.

In some implementations, the rewrite circuitry may be configured toperform the non-tamper-evident rewrite by wrapping-up the blockchaininto a loop.

In some implementations, rewrite circuitry may be configured to wrap-upthe blockchain into the loop, by replacing the original data withaltered data coding-consistent with the integrity output.

In some implementations, the rewrite circuitry may be configured towrap-up the blockchain into the loop by wrapping-up the blockchain intoa closed loop, an open loop, or both.

In some implementations, the blockchain may include a tertiary portionand a core portion.

In another example, a system may include memory and a hybrid blockchainstored on the memory. The hybrid blockchain may include a core portion;and a tertiary portion. Meeting a criterion for rewrite privileges mayqualify a party to rewrite the tertiary portion but not the coreportion.

In some implementations, the criterion may include combining a firstthreshold number of key secret portions.

In some implementations, the core portion may be secured by an integritycode that lacks an associated key secret.

In another example, a system may comprise: memory; a blockchain storedin the memory, the blockchain comprising a block with original data, theblockchain secured by a first integrity output for a first integritycode, the first integrity code is configured to yield the firstintegrity output when applied to the original data; and rewritecircuitry in data communication with the memory, the rewrite circuitryconfigured to: access the blockchain; access a key secret for the firstintegrity code, the key secret facilitating identification of collisiondata, the collision data different from the original data, the firstintegrity code is configured to yield the first integrity output whenapplied to the collision data; receive a command to rewrite the originaldata in the block with altered data that is different than the originaldata, the first integrity code does not yield the first integrity outputwhen applied to the altered data; generate additional data responsive tothe key secret and the altered data; generate the collision data basedon the altered data and the additional data; and rewrite the block withthe collision data.

In some implementations, the altered data comprises a redacted versionof the original data, supplemental data relative to the original data,or both.

In some implementations, where the first integrity code comprises acryptographic hash, a chameleon hash, or both.

In some implementations, the blockchain comprises a dual chainconstructed from the first integrity code and a second integrity code.

In some implementations, the second integrity code does not yield asecond integrity output when applied to the collision data.

In some implementations, the second integrity output is configured toact as a rewrite identifier that marks the blockchain as rewritten.

In some implementations, the first integrity code comprises a firstchameleon hash; and the second integrity code comprises arewrite-protected cryptographic hash, a second chameleon hash, or both.

In some implementations, the first integrity code comprises an innerhash nested within an outer hash.

In some implementations, the inner hash comprises a chameleon hash thatis configured to provide a hash output to the outer hash; and the outerhash comprises a rewrite-protected cryptographic hash.

In some implementations, the rewrite circuitry is configured to accessthe key secret by combining multiple portions of the key secret.

In some implementations, the multiple portions are stored in separatememory locations maintained by individually-untrusted parties thattogether makeup a trusted party.

In some implementations, where the rewrite circuitry is configured tocombine the multiple portions using a public-key exchange protocol.

In another example, a method comprises: in a hardware security system:accessing, using processing circuitry, a key secret for a blockchain;determining, with the processing circuitry, to rewrite original data ina selected block of the blockchain with altered data that is differentthan the original data previously stored in the selected block; anddetermining, with the processing circuitry and using the key secret,collision data including the altered data, the collision datacoding-consistent with a previously determined integrity output storedwithin a specific block of the blockchain that follows the selectedblock, the previously determined integrity output generated responsiveto and coding-consistent with the original data.

In some implementations, rewriting the original data with the altereddata comprises rewriting the original data with a redacted version ofthe original data, rewriting the original data with supplemental datarelative to the original data, or both.

In some implementations, the blockchain is secured by an integrity codecomprising a cryptographic hash, a chameleon hash, or both; and the keysecret is specific to the integrity code.

In some implementations, the blockchain comprises a dual chain that usesa first integrity code and a second integrity code.

In some implementations, the altered data comprises acoding-inconsistency with a second integrity output of the secondintegrity code, the second integrity output different than thepreviously determined integrity output.

In some implementations, the coding-inconsistency with the secondintegrity output of the second integrity code is configured to act as arewrite identifier that marks the blockchain as rewritten.

In some implementations, the first integrity code comprises a firstchameleon hash; and the second integrity code comprises arewrite-protected cryptographic hash, a second chameleon hash, or both.

In some implementations, the first integrity code comprises an innerhash nested within an outer hash.

In some implementations, the inner hash comprises a chameleon hashconfigured to provide a hash output to the outer hash; and the outerhash comprises a rewrite-protected cryptographic hash.

In some implementations, accessing the key secret comprises combiningmultiple portions of the key secret.

In another example a computer program or product may include: amachine-readable medium other than a transitory signal; and instructionsstored on the machine-readable medium. The instructions may, whenexecuted, cause a system to: access original data within a blockchain,the original data secured by a first integrity output for an integritycode that is configured to yield the first integrity output when appliedto the original data; determine to rewrite the original data in theblock with altered data different than the original data, such thatrewriting the original data with the altered data produces atamper-evident rewrite; access a key secret in memory; and responsive tothe key secret, execute a non-tamper-evident rewrite of the blockchainthat replaces the first data with at least the altered data such thatthe integrity code is configured to yield the first integrity outputwhen applied to the non-tamper-evident rewrite.

In some implementations, the altered data includes a redacted version ofthe original data, supplemental data relative to the original data, orany combination thereof.

In some implementations, the integrity code includes a chameleon hash.

In some implementations, the instructions are further configured toaccess the key secret by combining multiple portions of the key secret.

In some implementations, the multiple portions are stored in separatememory locations maintained by individually-untrusted parties thattogether makeup a trusted party for the blockchain.

In some implementations, the instructions are further configured toprevent the individually-untrusted parties from individually obtainingknowledge of an entirety of the key secret by combining the multipleportions using a public-key exchange protocol.

In another example, a method includes accessing, via rewrite circuitry,a blockchain stored on memory, where the blockchain includes a blockwith first data; and the blockchain is secured by a first integrityoutput for an integrity code that is configured to yield the firstintegrity output when applied to the original data. The method mayfurther include: accessing, via the rewrite circuitry, a key secret forthe integrity code, the key secret facilitating identification ofcollision data different from the original data, the integrity code isconfigured to yield the first integrity output when applied to thecollision data; determining to rewrite the original data in the blockwith altered data different than the original data, the integrity codedoes not yield the first integrity output when applied to the altereddata; generating additional data responsive to the key secret and thealtered data; generating collision data based on the altered data andthe additional data; and rewriting the block with the collision data.

In some implementations accessing the key secret includes combiningmultiple portions of the key secret, the multiple portions stored inseparate memory locations maintained by individually-untrusted partiesthat together makeup a trusted party.

In another example, a method includes, in a hardware security system:accessing, using processing circuitry, a key secret for a blockchain;determining, with the processing circuitry, to rewrite original data ina selected block of the blockchain with altered data that is differentthan the original data previously stored in the selected block; anddetermining, with the processing circuitry and using the key secret,collision data including the altered data, the collision datacoding-consistent with a previously determined integrity output storedwithin a specific block of the blockchain that follows the selectedblock, the previously determined integrity output generated responsiveto and coding-consistent with the original data.

In some implementations, the blockchain is secured by an integrity codeincluding a cryptographic hash, a chameleon hash, or both. The keysecret is specific to the integrity code.

In some implementations, the blockchain includes a dual chain that usesa first integrity code and a second integrity code.

In some implementations, the altered data includes acoding-inconsistency with a second integrity output of the secondintegrity code, the second integrity output different than thepreviously determined integrity output.

In some implementations, the coding-inconsistency with the secondintegrity output of the second integrity code is configured to act as arewrite identifier that marks the blockchain as rewritten.

In some implementations: the first integrity code includes a firstchameleon hash; and the second integrity code includes arewrite-protected cryptographic hash, a second chameleon hash, or both.

In some implementations, the first integrity code includes an inner hashnested within an outer hash.

In some implementations: the inner hash includes a chameleon hashconfigured to provide a hash output to the outer hash; and the outerhash includes a rewrite-protected cryptographic hash.

In another example, a system includes communication interface circuitryand rewrite circuitry in data communication with the communicationinterface circuitry. The communication interface circuitry is configuredto receive, at processing circuitry, a first portion of a key secret viaa key secret exchange protocol. The rewrite circuitry is configured to:combine the first portion with a second portion of the key secret toobtain the key secret; determine to rewrite original data in a selectedblock of a blockchain with altered data that is different than theoriginal data previously stored in the selected block; and determine,using the key secret, collision data including the altered data, thecollision data coding-consistent with a previously determined integrityoutput stored within a specific block of the blockchain that follows theselected block, the previously determined integrity output generatedresponsive to and coding-consistent with the original data.

In some implementations, the specific block follows the selected blockwithin the blockchain.

In some implementations, the specific block includes a block adjacent tothe selected block within the blockchain.

In some implementations, the communication interface circuitry isconfigured to receive the first portion of the key secret via the keysecret exchange protocol by receiving the first portion of the keysecret via a public key exchange protocol.

In some implementations, the communication interface circuitry isconfigured to receive the first portion of the key secret the key secretexchange protocol by performing the key secret exchange protocol underauthority of multiple individually untrusted parties.

In some implementations, the rewrite circuitry is further configured toaccess the second portion of the key secret in a protected memory priorto combining the first and second portions of the key secret.

In some implementations, the rewrite circuitry is further configured togrant, using the key secret, a third portion of the key secret to apreviously untrusted party.

In some implementations, the rewrite circuitry is configured to grantthe third portion of the key secret by decrypting, using the key secret,a cache storing multiple portions of the key secret.

In some implementations, the rewrite circuitry is configured todetermine to rewrite the original data in the selected block of theblockchain with the altered data by determining to remove a detectablerewrite artifact left by performing a rewrite without access to thefirst portion, the second portion, or both.

In another example, a method includes: accessing, in memory, ablockchain including: a selected block including original data; and aspecific block including an integrity output, the integrity outputdetermined from the original data as an input. The method may furtherinclude, at communication interference circuitry: performing a keysecret exchange operation to receive portions of a key secret, theportions sent by multiple individually untrusted parties; receiving acommand coordinated with the key secret exchange operation, the commandspecifying to overwrite the original data with altered data. The methodmay further include, at rewrite circuitry: obtaining a portioncombination from the portions of the key secret; and when a count of theportions exceeds a rewriting threshold for rewrite privileges, computingcollision data that includes the altered data, where: the collision datais coding-consistent with the integrity output, and collision data isalgorithmically determined from the portion combination and the altereddata as inputs.

In some implementations, the method further includes failing to computethe collision data, when the count does not exceed the rewritingthreshold for rewrite privileges.

In some implementations, failing to compute the collision data includes:determining that the count does not exceed the rewriting threshold; andresponsive to determining that the count does not exceed the rewritingthreshold, forgoing computation of the collision data.

In some implementations, failing to compute the collision data includes:generating invalid data by attempting to compute the collision data withincomplete knowledge of the key secret, the invalid datacoding-inconsistent with integrity output; and performing atamper-evident rewrite of the blockchain includes overwriting at leastthe original data with the invalid data.

In some implementations, the method further includes decrypting a cacheof key secret portions when the count exceeds a granting threshold forkey secret granting privileges.

In another example, a method comprises: in a hardware security system:receiving, at processing circuitry, a first portion of a key secret viaa key secret exchange protocol; combining, with the processingcircuitry, the first portion with a second portion of the key secret toobtain the key secret; determining, with the processing circuitry, torewrite original data in a selected block of a blockchain with altereddata that is different than the original data previously stored in theselected block; and determining, with the processing circuitry and usingthe key secret, collision data including the altered data, the collisiondata coding-consistent with a previously determined integrity outputstored within a specific block of the blockchain that follows theselected block, the previously determined integrity output generatedresponsive to and coding-consistent with the original data.

In some implementations, the specific block follows the selected blockwithin the blockchain.

In some implementations, the specific block comprises a block adjacentto the selected block within the blockchain.

In some implementations, receiving the first portion of the key secretvia the key secret exchange protocol comprises: receiving the firstportion of the key secret via a public key exchange protocol.

In some implementations, receiving the first portion of the key secretthe key secret exchange protocol comprises: performing the key secretexchange protocol under authority of multiple individually-untrustedparties.

In some implementations, the method further comprises: accessing thesecond portion of the key secret in a protected memory prior tocombining the first and second portions of the key secret.

In some implementations, the method further comprises: granting, usingthe key secret, a third portion of the key secret to a previouslyuntrusted party.

In some implementations, granting the third portion of the key secretcomprises: decrypting, using the key secret, a cache storing multipleportions of the key secret.

In some implementations, determining to rewrite the original data in theselected block of the blockchain with the altered data comprises:determining to remove a detectable rewrite artifact left by performing arewrite without access to the first portion, the second portion, orboth.

In another example, a system comprises: a memory; a blockchain storedwithin the memory, the blockchain comprising: a selected blockcomprising original data; and

a specific block comprising an integrity output, the integrity outputdetermined from the original data as an input; communication interfacecircuitry configured to: perform a key secret exchange operation toreceive portions of a key secret, the portions received on behalf ofmultiple individually untrusted parties; receive a command coordinatedwith the key secret exchange operation, the command specifying tooverwrite the original data with altered data; and rewrite circuitry indata communication with the communication interface circuitry, therewrite circuitry configured to: obtain a portion combination from theportions of the key secret; and when a count of the portions exceeds arewriting threshold for rewrite privileges: compute collision data thatincludes the altered data, where: the collision data iscoding-consistent with the integrity output, and the collision data isalgorithmically determined from the portion combination and the altereddata as inputs.

In some implementations, the rewrite circuitry is further configured tofail to compute the collision data when the count does not exceed therewriting threshold for rewrite privileges.

In some implementations, the rewrite circuitry is configured to fail tocompute the collision data by: determining that the count does notexceed the rewriting threshold; and responsive to determining that thecount does not exceed the rewriting threshold, forgoing computation ofthe collision data.

In some implementations, the rewrite circuitry is configured to: fail tocompute the collision data by generating invalid data by attempting tocompute the collision data with incomplete knowledge of the key secret,the invalid data coding-inconsistent with integrity output; and performa tamper-evident rewrite of the blockchain by overwriting at least theoriginal data with the invalid data.

In some implementations, the specific block comprises a block adjacentto the selected block within the blockchain.

In some implementations, the rewrite circuitry is further configured todecrypt a cache of key secret portions when the count exceeds a grantingthreshold for key secret granting privileges.

In another example, a method includes, in a hardware security system:accessing a blockchain stored in memory, the blockchain including afirst block including original data; and a second block including: afirst integrity output computed using the original data as an input; anda second integrity output computed using the original data as an input.The method further includes generating, using rewrite circuitry, arewrite artifact in the blockchain by rewriting the first block withaltered data different than the original data, the altered datacoding-consistent with the first integrity output butcoding-inconsistent with the second integrity output.

In some implementations, generating the rewrite artifact in theblockchain includes rewriting the first block with the altered data byperforming a valid rewrite of the blockchain.

In some implementations, the method further includes removing therewrite artifact by rewriting the first block with ratification datausing a ratification key secret, the ratification data coding-consistentwith the first integrity output and the second integrity output.

In some implementations, the ratification data includes the altereddata; and rewriting the first block with the ratification data byperforming a multiple trusted-party rewrite ratification for theblockchain.

In some implementations, rewriting the first block with the altered dataincludes rewriting the first block with the altered data using a keysecret; and the method further includes, generating the key secret bycombining multiple portions of the key secret in a key secret exchangeprior to rewriting the first block with the altered data.

In some implementations, combining the multiple portions includescombining multiple portions when a count of the multiple portionsexceeds a first threshold for valid tamper-evident rewrites.

In some implementations, combining the multiple portions includescombining multiple portions when a count of the multiple portionsexceeds a first threshold for valid tamper-evident rewrites but does notexceed a second threshold for valid non-tamper evident rewritescoding-consistent with the second integrity output.

In another example, a computer program or product includes: amachine-readable medium, other than a transitory signal; andinstructions stored on the machine-readable medium, the instructionsconfigured to, when executed, cause a system to: determine to rewriteoriginal data in a selected block of a blockchain with altered datadifferent than the original data previously stored in the selectedblock; identify a specific block of the blockchain, the specific blockincluding: a first integrity output and a second integrity output;determine, using a first key secret, collision data including thealtered data; and perform a tamper-evident rewrite of the blockchain byreplacing the original data with the collision data. Where the collisiondata is coding-consistent with the first integrity output, and iscoding-inconsistent with the second integrity output, the first andsecond integrity outputs generated responsive to and coding-consistentwith the original data.

In some implementations, the instructions are configured to cause theprocessing circuitry to perform the tamper-evident rewritecoding-consistent with the first integrity output by performing a validrewrite of the blockchain.

In some implementations, the instructions are configured to cause theprocessing circuitry to perform the tamper-evident rewritecoding-inconsistent with the second integrity output by generating arewrite artifact that marks the blockchain as rewritten.

In some implementations, the instructions are further configured tocause the processing circuitry to determine to rewrite the collisiondata with ratification data using a second key secret after performingthe tamper-evident rewrite of the blockchain, the ratification datacoding-consistent with the first integrity output and the secondintegrity output.

In some implementations, the ratification data includes the altereddata; and the instructions are configured to cause the processingcircuitry to determine to rewrite the collision data with theratification data by determining to perform a multiple trusted-partyratification of the tamper-evident rewrite of the blockchain.

In some implementations, the instructions are further configured tocause the processing circuitry to generate the first key secret bycombining multiple portions of the first key secret in a key secretexchange.

In some implementations, the instructions are configured to cause theprocessing circuitry to combine the multiple portions by combiningmultiple portions when a count of the multiple portions exceeds a firstthreshold for valid tamper-evident rewrites.

In some implementations, the instructions are configured to cause theprocessing circuitry to combine the multiple portions by combiningmultiple portions when a count of the multiple portions exceeds a firstthreshold for valid tamper-evident rewrites but does not exceed a secondthreshold for valid non-tamper evident rewrites coding-consistent withthe second integrity output.

In another example, a method comprises: in a hardware security system:determining, with processing circuitry, to rewrite original data in aselected block of a blockchain with altered data different than theoriginal data previously stored in the selected block; identifying aspecific block of the blockchain, the specific block comprising: a firstintegrity output and a second integrity output; determining, with theprocessing circuitry and using a first key secret, collision dataincluding the altered data, the collision data: coding-consistent withthe first integrity output; and coding-inconsistent with the secondintegrity output, the first and second integrity outputs generatedresponsive to and coding-consistent with the original data; andperforming, with the processing circuitry, a tamper-evident rewrite ofthe blockchain by replacing the original data with the collision data.

In some implementations, performing the tamper-evident rewritecoding-consistent with the first integrity output comprises performing avalid rewrite of the blockchain.

In some implementations, performing the tamper-evident rewritecoding-inconsistent with the second integrity output comprisesgenerating a rewrite artifact that marks the blockchain as rewritten.

In some implementations, the method further comprises: after performingthe tamper-evident rewrite of the blockchain, determining to rewrite thecollision data with ratification data using a second key secret, theratification data coding-consistent with the first integrity output andthe second integrity output.

In some implementations, the ratification data includes the altereddata; and determining to rewrite the collision data with theratification data comprises determining to perform a multipletrusted-party ratification of the tamper-evident rewrite of theblockchain.

In some implementations, the method further comprises: generating thefirst key secret by combining multiple portions of the first key secretin a key secret exchange.

In some implementations, combining the multiple portions comprisescombining multiple portions when a count of the multiple portionsexceeds a first threshold for valid tamper-evident rewrites.

In some implementations, combining the multiple portions comprisescombining multiple portions when a count of the multiple portionsexceeds a first threshold for valid tamper-evident rewrites but does notexceed a second threshold for valid non-tamper evident rewrites.

In another example, a system comprises: memory; a blockchain storedwithin the memory, the blockchain comprising: a first block comprisingoriginal data; and a second block comprising: a first integrity outputcomputed using the original data as an input; and a second integrityoutput computed using the original data as an input; and rewritecircuitry configured to: generate a rewrite artifact in the blockchainby rewriting the first block with altered data different than theoriginal data, the altered data coding-consistent with the firstintegrity output but coding-inconsistent with the second integrityoutput.

In some implementations, the rewrite circuitry is configured to generatethe rewrite artifact in the blockchain by rewriting the first block withthe altered data by performing a valid rewrite of the blockchain.

In some implementations, the rewrite circuitry is further configured toremove the rewrite artifact by rewriting the first block withratification data using a ratification key secret, the ratification datacoding-consistent with the first integrity output and the secondintegrity output.

In some implementations, the ratification data includes the altereddata; and the rewrite circuitry is configured to rewrite the first blockwith the ratification data by performing a multiple trusted-partyrewrite ratification for the blockchain.

In some implementations, the rewrite circuitry is configured to: rewritethe first block with the altered data using a key secret; and prior torewriting the first block with the altered data, generate the key secretby combining multiple portions of the key secret in a key secretexchange.

In some implementations, the rewrite circuitry is configured to combinethe multiple portions by combining the multiple portions when a count ofthe multiple portions exceeds a first threshold for valid tamper-evidentrewrites.

In some implementations, the rewrite circuitry is configured to combinethe multiple portions by combining the multiple portions when a count ofthe multiple portions exceeds a first threshold for valid tamper-evidentrewrites but does not exceed a second threshold for valid non-tamperevident rewrites coding-consistent with the second integrity output.

In another example, a method includes, in a hardware security system:accessing, via communication interface circuitry, a blockchain databaseconfigured to store a blockchain secured by a chameleon hash, theblockchain including: a selected block including: a payload field; and arandomness field; a specific block subsequent to the selected block onthe blockchain, the specific block including a first previous-hash fieldoperable to store a first chameleon hash output; and an intermediateblock between the selected block and the specific block on theblockchain, the first chameleon hash output generated using content ofthe intermediate block as an input. The method further includes, in thehardware security system: receiving a trusted-party instruction todelete the intermediate block from the blockchain; receiving, tofacilitate performance of the instruction, an authorization to access akey secret for the chameleon hash, the authorization initiated by atrusted party for the blockchain; using the payload field, the firstprevious-hash field, and the key secret as inputs, determiningrandomness data to write to the randomness field, the randomness dataselected such that the chameleon hash is configured to yield the firstchameleon hash output is when: the intermediate block is deleted fromthe blockchain; and the chameleon hash is applied to the selected block.The method further includes: generating, at rewrite circuitry, a deleteinstruction; and sending, to the blockchain database and viacommunication interface circuitry, the delete instruction. The deleteinstruction includes: a first command to write the randomness data intothe randomness field; and a second command to delete the intermediateblock from the blockchain.

In some implementations, the intermediate block includes one of multipleblocks between the selected block and the specific block on theblockchain.

In some implementations, the chameleon hash includes a rewritablecryptographic hash nested within a rewrite-protected cryptographic hash.

In some implementations, the specific block further includes a thirdprevious-hash field, the third previous-hash field including awrite-protected hash output generated using a rewrite-protectedcryptographic hash that secures the blockchain in parallel with thechameleon hash.

In some implementations, the rewrite-protected cryptographic hash doesnot yield the write-protected hash output when: the intermediate blockis deleted from the blockchain; and the rewrite-protected cryptographichash is applied to the selected block.

In some implementations, the trusted-party includes multipleindividually untrusted parties; and the method further includescombining multiple key secret portions controlled by the individuallyuntrusted parties using a public key encryption based exchange protocol.

In some implementations, determining the randomness data includessuccessfully generating the randomness data when a count of the multiplekey secret portions exceeds a threshold for rewrite privileges.

In some implementations, each of the multiple key secret portionscontribute equally to the count.

In some implementations, a first one of the multiple key secret portionscontributes more to the count than a second one of the multiple keysecrets portions.

In some implementations, the randomness field is nested within the firstprevious-hash field within the specific block to mask existence of therandomness field.

In some implementations, sending the delete instruction includescomplying with a data privacy rule.

In another example, a computer program or product includes: amachine-readable medium other than a transitory signal; and instructionsstored on the machine-readable medium. The instructions are configuredto, when executed, cause a system to: access a blockchain databaseconfigured to store a blockchain secured by a chameleon hash, theblockchain including: a selected block including: a payload field and arandomness field; a specific block subsequent to the selected block onthe blockchain, the specific block including a first previous-hash fieldoperable to store a first chameleon hash output; and an intermediateblock between the selected block and the specific block on theblockchain, the first chameleon hash output generated using content ofthe intermediate block as an input. The instructions are furtherconfigured to, when executed, cause the system to: receive atrusted-party instruction to delete the intermediate block from theblockchain; receive, to facilitate performance of the instruction, anauthorization to access a key secret for the chameleon hash, theauthorization initiated by a trusted party for the blockchain; using thepayload field, the first previous-hash field, and the key secret asinputs, determine randomness data to write to the randomness field, therandomness data selected such that the chameleon hash is configured toyield the first chameleon hash output when: the intermediate block isdeleted from the blockchain; and the chameleon hash is applied to theselected block. The instructions are further configured to, whenexecuted, cause the system to: generate a delete instruction; and send,the delete instruction to the blockchain database. The deleteinstruction includes: a first command to write the randomness data intothe randomness field; and a second command to delete the intermediateblock from the blockchain.

In another example, a system comprises: memory configured to store a keysecret for a chameleon hash that secures a blockchain; communicationinterface circuitry configured to: access the blockchain in the memory,the blockchain comprising: a selected block comprising: a payload fieldoperable to store original data; a first previous-hash field operable tostore a first chameleon hash output; and a randomness field; a secondblock subsequent to the selected block on the blockchain, the secondblock comprising a second previous-hash field operable to store a secondchameleon hash output; and a third block preceding the selected block onthe blockchain, the first chameleon hash output generated using contentof the third block as an input; receive a trusted-party instruction toperform a non-tamper-evident rewrite to the payload field, thetrusted-party instruction specifying altered data to replace theoriginal data previously stored in the payload field; receive, tofacilitate performance of the instruction, an authorization to accessthe key secret within the memory, the authorization initiated by atrusted party for the blockchain; and send a rewrite instruction for theblockchain; and rewrite circuitry in data communication with thecommunication interface circuitry and the memory, the rewrite circuitryconfigured to: using the payload field, the first previous-hash field,and the key secret as inputs, determine randomness data to write to therandomness field, the randomness data selected such that the chameleonhash is configured to yield the second chameleon hash output when: thepayload field contains the altered data; the randomness field containsthe randomness data; and the chameleon hash is applied to the selectedblock; generate the rewrite instruction, the rewrite instructioncomprising:

a first command to write the randomness data into the randomness field;and a second command to replace the original data with the altered data;and cause the communication interface circuitry to send the rewriteinstruction.

In some implementations, the chameleon hash comprises a rewritablecryptographic hash nested within a rewrite-protected cryptographic hash.

In some implementations, the second block further comprises a thirdprevious-hash field, the third previous-hash field comprising awrite-protected hash output generated using a rewrite-protectedcryptographic hash that secures the blockchain in parallel with thechameleon hash.

In some implementations, the rewrite-protected cryptographic hash doesnot produce the write-protected hash output when: the payload fieldcontains the altered data; the randomness field contains the randomnessdata; and the rewrite-protected cryptographic hash is applied to theselected block.

In some implementations, the trusted-party comprises multipleindividually untrusted parties; and the rewrite circuitry is configuredto combine multiple key secret portions controlled by the individuallyuntrusted parties using a public key encryption based exchange protocol.

In some implementations, the rewrite circuitry is configured tosuccessfully generate the randomness data when a count of the multiplekey secret portions exceeds a threshold for rewrite privileges.

In some implementations, each of the multiple key secret portionscontribute equally to the count.

In some implementations, a first one of the multiple key secret portionscontributes more to the count than a second one of the multiple keysecrets portions.

In some implementations, the randomness field is nested within the firstprevious-hash field within the selected block to mask existence of therandomness field.

In some implementations, the altered data with respect to the originaldata comprises an addition of data to the payload field, a redaction ofdata from the payload field, or both.

In some implementations, the altered data with respect to the originaldata comprises a redaction of data from the payload field; and therewrite circuitry is configured to replace the original data with thealtered data to comply with a data privacy rule.

In some implementations, the system further comprises a triggerconfigured to deploy an anti-theft countermeasure when activated; andthe memory comprises protected memory coupled to the trigger.

In another example, a method comprises, in a hardware security system:accessing, via communication interface circuitry, a blockchain databaseconfigured to store a blockchain secured by a chameleon hash, theblockchain comprising: a selected block comprising: a payload fieldoperable to store original data; a first previous-hash field operable tostore a first chameleon hash output; and a randomness field; a secondblock subsequent to the selected block on the blockchain, the secondblock comprising a second previous-hash field operable to store a secondchameleon hash output; and a third block preceding the selected block onthe blockchain, the first chameleon hash output generated using contentof the third block as an input; receiving, via the communicationinterface circuitry, a trusted-party instruction to perform anon-tamper-evident rewrite to the payload field, the instructionspecifying altered data to replace the original data previously storedin the payload field; receiving, to facilitate performance of theinstruction, an authorization to access a key secret for the chameleonhash, the authorization initiated by a trusted party for the blockchain;and in rewrite circuitry of the hardware security system: using thepayload field, the first previous-hash field, and the key secret asinputs, determine randomness data to write to the randomness field, therandomness data selected such that the chameleon hash is configured toyield the second chameleon hash output when: the payload field containsthe altered data; the randomness field contains the randomness data; andthe chameleon hash is applied to the selected block; generate a rewriteinstruction, the rewrite instruction comprising: a first command towrite the randomness data into the randomness field; and a secondcommand to replace the original data with the altered data; and sending,to the blockchain database and via communication interface circuitry,the rewrite instruction.

In some implementations, the chameleon hash comprises a rewritablecryptographic hash nested within a rewrite-protected cryptographic hash.

In some implementations, the second block further comprises a thirdprevious-hash field, the third previous-hash field comprising awrite-protected hash output generated using a rewrite-protectedcryptographic hash that secures the blockchain in parallel with thechameleon hash.

Various implementations have been specifically described. However, manyother implementations are also possible. Headings and/or subheadingsused herein are intended only to aid the reader with understandingdescribed implementations. The invention is defined by the claims.

What is claimed is:
 1. A method comprising: receiving, at processingcircuitry, a first portion of a key secret via a key secret exchangeprotocol; combining, with the processing circuitry, the first portionwith a second portion of the key secret to obtain the key secret;determining, with the processing circuitry, to rewrite original data ina selected block of a blockchain with altered data that is differentthan the original data previously stored in the selected block; anddetermining, with the processing circuitry and using the key secret,collision data, where: the collision data includes the altered data, thecollision data comprises data coding-consistent with a previouslydetermined integrity output stored within a specific block of theblockchain that follows the selected block, the previously determinedintegrity output comprises an integrity output generated responsive toand coding-consistent with the original data, and rewriting the originaldata with the collision data does not introduce coding-inconsistencywith the previously determined integrity output.
 2. The method of claim1, where the specific block follows the selected block within theblockchain.
 3. The method of claim 1, where the specific block comprisesa block adjacent to the selected block within the blockchain.
 4. Themethod of claim 1, where receiving the first portion of the key secretvia the key secret exchange protocol comprises: receiving the firstportion of the key secret via a public key exchange protocol.
 5. Themethod of claim 1, where receiving the first portion of the key secretvia the key secret exchange protocol comprises: performing the keysecret exchange protocol under authority of multipleindividually-untrusted parties.
 6. The method of claim 1, furthercomprising: accessing the second portion of the key secret in aprotected memory prior to combining the first and second portions of thekey secret.
 7. The method of claim 1, further comprising: granting,using the key secret, a third portion of the key secret to a previouslyuntrusted party.
 8. The method of claim 7, where granting the thirdportion of the key secret comprises: decrypting, using the key secret, acache storing multiple portions of the key secret.
 9. The method ofclaim 1, where determining to rewrite the original data in the selectedblock of the blockchain with the altered data comprises: determining toremove a detectable rewrite artifact left by performing a rewritewithout access to the first portion, the second portion, or both.
 10. Asystem comprising: communication interface circuitry configured toreceive, at processing circuitry, a first portion of a key secret via akey secret exchange protocol; and rewrite circuitry in datacommunication with the communication interface circuitry, the rewritecircuitry configured to: combine the first portion with a second portionof the key secret to obtain the key secret; determine to rewriteoriginal data in a selected block of a blockchain with altered data thatis different than the original data previously stored in the selectedblock; and determine, using the key secret, collision data, where: thecollision data includes the altered data, the collision data comprisesdata coding-consistent with a previously determined integrity outputstored within a specific block of the blockchain that follows theselected block, the previously determined integrity output comprises anintegrity output generated responsive to and coding-consistent with theoriginal data, and the collision data does not introducecoding-inconsistency with the previously determined integrity outputwhen the original data is rewritten with the collision data.
 11. Thesystem of claim 10, where the specific block follows the selected blockwithin the blockchain.
 12. The system of claim 10, where the specificblock comprises a block adjacent to the selected block within theblockchain.
 13. The system of claim 10, where the communicationinterface circuitry is configured to: receive the first portion of thekey secret via the key secret exchange protocol by receiving the firstportion of the key secret via a public key exchange protocol.
 14. Thesystem of claim 10, where the communication interface circuitry isconfigured to: receive the first portion of the key secret the keysecret exchange protocol by performing the key secret exchange protocolunder authority of multiple individually untrusted parties.
 15. Thesystem of claim 10, where the rewrite circuitry is further configuredto: access the second portion of the key secret in a protected memoryprior to combining the first and second portions of the key secret. 16.The system of claim 10, where the rewrite circuitry is furtherconfigured to: grant, using the key secret, a third portion of the keysecret to a previously untrusted party.
 17. The system of claim 16,where the rewrite circuitry is configured to: grant the third portion ofthe key secret by decrypting, using the key secret, a cache storingmultiple portions of the key secret.
 18. The system of claim 10, wherethe rewrite circuitry is configured to: determine to rewrite theoriginal data in the selected block of the blockchain with the altereddata by determining to remove a detectable rewrite artifact left byperforming a rewrite without access to the first portion, the secondportion, or both.
 19. A product comprising: a machine-readable mediumother than a transitory signal; and instructions stored on themachine-readable medium, the instructions configured to, when executed,cause a machine to: receive, at processing circuitry, a first portion ofa key secret via a key secret exchange protocol; combine, with theprocessing circuitry, the first portion with a second portion of the keysecret to obtain the key secret; determine, with the processingcircuitry, to rewrite original data in a selected block of a blockchainwith altered data that is different than the original data previouslystored in the selected block; and determine, with the processingcircuitry and using the key secret, collision data, where: the collisiondata includes the altered data, the collision data comprises datacoding-consistent with a previously determined integrity output storedwithin a specific block of the blockchain that follows the selectedblock, the previously determined integrity output comprises an integrityoutput generated responsive to and coding-consistent with the originaldata, and the collision data does not introduce coding-inconsistencywith the previously determined integrity output when the original datais rewritten with the collision data.
 20. The product of claim 19, wherethe instructions configured to cause the machine to determine to rewritethe original data in the selected block of the blockchain with thealtered data by: determining to remove a detectable rewrite artifactleft by performing a rewrite without access to the first portion, thesecond portion, or both.